openscap-daemon-0.1.8/������������������������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�013251� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/perform-static-analysis�������������������������������������������������������0000755�0001751�0000033�00000001614�13163222324�017761� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/env bash
OUTPUT_FILE="static-analysis-output"
which pylint && which pychecker && which pyflakes
if [ $? -ne 0 ]; then
echo "One or more dependencies were not found!"
exit 1
fi
echo "Output from static analysis tools" > $OUTPUT_FILE
echo "=================================" >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
echo "Running pylint 1/3..."
echo "pylint:" >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
pylint --rcfile pylint.cfg openscap_daemon >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
echo "Running pychecker 2/3..."
echo "pychecker:" >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
find openscap_daemon/ -name "*\.py" -print0 | xargs --null pychecker --limit 0 2>&1 >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
echo "Running pyflakes 3/3..."
echo "pyflakes:" >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
pyflakes openscap_daemon >> $OUTPUT_FILE
echo >> $OUTPUT_FILE
echo "Static analysis finished, output in $OUTPUT_FILE"
��������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/README.md���������������������������������������������������������������������0000644�0001751�0000033�00000026154�13163222324�014540� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# OpenSCAP-daemon
> Continuously evaluate your infrastructure for *SCAP* compliance!
> Avoid copying big SCAP files around, avoid having to type long IDs, avoid
> writing ad-hoc bash scripts to solve your compliance needs!
## Project Description
OpenSCAP-daemon is a service that performs SCAP scans of bare-metal machines,
virtual machines and containers. These scans can be either one-shot or
continuous according to a schedule. You can interact with the service
using the provided oscapd-cli tool or via the DBus interface.
## Motivation
The [OpenSCAP](http://open-scap.org) project has progressed greatly over the
past years and now provides very nice tooling to perform solicited one-off
*SCAP* evaluation of the machine it runs on. Unsolicited, continuous or
planned evaluation has always been out of scope of *OpenSCAP* to avoid feature
creep. The previously mentioned use-case is very desirable and has been
requested many times. We feel that now the time is right to start a project
that **helps you run oscap** and **does evaluation for you**. *OpenSCAP-daemon*
is such a project.
The project currently comprises of two parts, the **daemon** that runs in the
background sleeping until a task needs processing, and the **command-line tool**
that talks to the aforementioned daemon using *dbus*. Do not be alarmed, the
**command-line tool** is much easier to use than pure `oscap` for common
use-cases.
## Features
* *SCAP* evaluation of the following assets using
[OpenSCAP](http://open-scap.org) -- a **NIST-certified** scanner
* **local machine** -- `oscap`
* **remote machine** -- `oscap-ssh`
* **virtual machine** -- `oscap-vm`
* **container** -- `oscap-docker`
* flexible task definition and planning
* use any valid *SCAP* content -- for example
[SCAP Security Guide](http://github.com/OpenSCAP/scap-security-guide),
[NIST USGCB](http://usgcb.nist.gov/), or even
[RHSA OVAL](https://www.redhat.com/security/data/oval/)
* evaluate *daily*, *weekly*, *monthly* or in custom intervals
* evaluate on demand
* parallel task processing
* results storage -- query ARFs of past results, generate HTML reports, get
`oscap` stdout/stderr and exit codes
* command-line interface
* *dbus* *API*
* fully automated CVE evaluation of containers using OpenSCAP and Atomic.mount
* *Cockpit* integration (planned)
## Key Goals & Design Decisions
We have learned many important lessons when developing the lower layers of the
*SCAP* evaluation stack that we want to address in this project.
- **useful defaults** -- just pressing *Enter* and not providing any details
should still yield a valid setup
- **simplicity** -- we avoid *RDBMS* and instead use features of the filesystem
- **datastreams** -- *SDS* (source datastream) and *ARF* (results datastream)
are both used as primary data formats for maximum compatibility between
various tools
- **interactive CLI** -- the CLI should be as interactive as possible, user
shouldn't need to type any IDs or other lengthy options
## Example Use-Cases
### Scan a container or container image on Atomic Host
Atomic host can use the functionality in OpenSCAP-Daemon to perform vulnerability
scans of containers and container images using the `atomic scan` command.
To use this functionality, install atomic. Then install openscap-daemon either
in standalone mode or as a SPC container image. When the daemon is running
the `atomic scan` functionality is available.
### Scan all containers or all contaner images on Atomic Host
The `atomic scan` command has command-line arguments --images, --containers and
--all that scan all images, all container and everything respectively.
### Scan local machine every day at 1:00 AM UTC
OpenSCAP-daemon thinks in terms of tasks. Let us first define the task we want
to perform:
```bash
# interactively create a new task
oscapd-cli task-create -i
Creating new task in interactive mode
Title: Daily USGCB
Target (empty for localhost):
Found the following SCAP Security Guide content:
1: /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
2: /usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
3: /usr/share/xml/scap/ssg/content/ssg-java-ds.xml
4: /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
5: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Choose SSG content by number (empty for custom content): 4
Tailoring file (absolute path, empty for no tailoring):
Found the following possible profiles:
1: CSCF RHEL6 MLS Core Baseline (id='xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS')
2: United States Government Configuration Baseline (USGCB) (id='xccdf_org.ssgproject.content_profile_usgcb-rhel6-server')
3: Common Profile for General-Purpose Systems (id='xccdf_org.ssgproject.content_profile_common')
4: PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6 (id='xccdf_org.ssgproject.content_profile_pci-dss')
5: Example Server Profile (id='xccdf_org.ssgproject.content_profile_CS2')
6: C2S for Red Hat Enterprise Linux 6 (id='xccdf_org.ssgproject.content_profile_C2S')
7: Common Profile for General-Purpose SystemsUpstream STIG for RHEL 6 Server (id='xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream')
8: Common Profile for General-Purpose SystemsServer Baseline (id='xccdf_org.ssgproject.content_profile_server')
9: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) (id='xccdf_org.ssgproject.content_profile_rht-ccp')
Choose profile by number (empty for (default) profile): 2
Online remediation (1, y or Y for yes, else no):
Schedule:
- not before (YYYY-MM-DD HH:MM in UTC, empty for NOW): 2014-07-30 01:00
- repeat after (hours or @daily, @weekly, @monthly, empty or 0 for no repeat): @daily
Task created with ID '1'. It is currently set as disabled. You can enable it with `oscapd-cli task 1 enable`.
```
As the command-line interface suggests, we need to enable the task.
```bash
# enable previously created task of given ID
oscapd-cli task 1 enable
```
We may also want to see the HTML guide of our specified task to confirm it will do what we need.
```bash
# get the HTML guide of task of ID 1
oscapd-cli task 1 guide > guide.html
# open the guide in firefox
firefox guide.html
```
At this point `oscapd` will evaluate the local machine at `1:00 AM UTC` every
day and store all the results. To finish this use-case, lets see how we can
query the results after a week of evaluations.
```bash
# list all available results of task 1
$ oscapd-cli result 1
7
6
5
4
3
2
1
# get the verbatim results ARF of the 4th result of task 1
oscapd-cli result 1 4 arf > exported-arf.xml
# get the HTML report of previously mentioned result
oscapd-cli result 1 4 report > report.html
# open the report in firefox
firefox report.html
```
### Solicited evaluation
Sometimes we may want to run the evaluation outside the schedule for testing
or other purposes. The task may even be scheduled to never run automatically!
Such tasks are sometimes necessary.
```bash
# run task of ID 1 immediately
oscapd-cli task 1 run
# query available results
oscapd-cli result 1
8
7
6
# [snip]
# fetch ARF of result 8 of task 1
oscapd-cli result 1 8 arf > exported-arf.xml
```
### Evaluate something else than local machine
Every task has a *target* attribute that can take various forms:
* localhost -- scan the local machine, the same machine the daemon runs on
* ssh://auditor@192.168.0.22 -- scan remote machine of given IP with given username
* make sure you can log onto the same machine non-interactively!
* ssh+sudo://auditor@192.168.0.22 -- scan remote machine of given IP with given username with sudo privileges
* sudo mustn't require tty
* vm://qemu+kvm://localhost/VM1 -- virtual machine -- work in progress, subject to change
* docker://container_id -- local container -- work in progress, subject to change
The rest of the use-case is similar to previously mentioned use-cases. It is
important to remark that the *SCAP* content only needs to be available on the
local machine -- the machine that runs *OpenSCAP-daemon*. It is not necessary
to perform any extra manual action to get the content to the scanned machines,
this is done automatically.
### Scan all images in my registry to make sure no vulnerable images are published
When maintaining a registry it makes sense to unpublish images that have known
vulnerabilities to prevent people from using them.
We need to react to the CVE feeds changing and re-scan the images and of course
we need to scan all new images incoming into the registry.
This is a future use-case that hasn't been fully implemented yet.
## Requirements
* [*python2*](http://python.org) >= 2.6 OR [*python3*](http://python.org) >= 3.2
* full source compatibility with *python2* and *python3*
* [*OpenSCAP*](http://open-scap.org) >= 1.2.6
* [*dbus-python*](http://www.freedesktop.org/wiki/Software/DBusBindings/)
* (optional) [*Atomic*](http://www.projectatomic.io) >= 1.4
* (optional) [*docker*](http://www.docker.com)
## Running the test-suite
The test-suite can be run without installing the software.
```bash
cd openscap-daemon
cd tests
./make_check
```
## Installation on Linux (standalone on host)
```bash
cd openscap-daemon
# as a python2 application
sudo python2 setup.py install
# as a python3 application
sudo python3 setup.py install
```
## Building a container with OpenSCAP Daemon
Containerized version of OpenSCAP Daemon is used as a backend for the
'atomic scan' command. Atomic scan can scan containers and images
for vulnerabilities and configuration compliance.
You can build and install the container image using these commands:
```bash
./generate-dockerfile.py
docker build -t openscap .
atomic install openscap
```
At this point you can run 'atomic scan' on the host.
The image is not meant to be run outside of the atomic command.
The image is based on Fedora and contains OpenSCAP, OpenSCAP Daemon
and SCAP Security Guide as they are available in Fedora packages.
To install your local working tree of OpenSCAP Daemon instead, add
`--daemon-from-local` to the `./generate-dockerfile.py`.
If you need the latest code from upstream git of OpenSCAP and/or
SCAP Security Guide instead, pass `--openscap-from-git` and/or
`--ssg-from-git` to the `./generate-dockerfile.py`.
## API Consumers
> Please do not rely on the API just yet, we reserve the right to make breaking
> changes. The API will stabilize in time for 1.0.0 release.
OpenSCAP-daemon provides a stable dbus API that is designed to be used by
other projects.
### Atomic Integration
OpenSCAP-daemon is used to implement the `atomic scan` functionality.
`atomic scan` allows users to scan containers and container images for
vulnerabilities.
### Cockpit Integration
Features:
* declare new tasks, schedule when they run, set how they repeat
* generate HTML guides of scheduled tasks
* show past results of tasks
* get ARFs, HTML reports for past results
* set tasks to automatically push results to external result stores
* most importantly to [*scaptimony*](http://github.com/OpenSCAP/scaptimony)
### Foreman Integration
Provide a way to reliably do one-off tasks. Unify various `oscap` runners into
one code-base.
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/LICENSE�����������������������������������������������������������������������0000644�0001751�0000033�00000063536�13163222324�014273� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� GNU LESSER GENERAL PUBLIC LICENSE
Version 2.1, February 1999
Copyright (C) 1991, 1999 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
(This is the first released version of the Lesser GPL. It also counts
as the successor of the GNU Library Public License, version 2, hence
the version number 2.1.)
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users.
This license, the Lesser General Public License, applies to some
specially designated software packages--typically libraries--of the
Free Software Foundation and other authors who decide to use it. You
can use it too, but we suggest you first think carefully about whether
this license or the ordinary General Public License is the better
strategy to use in any particular case, based on the explanations below.
When we speak of free software, we are referring to freedom of use,
not price. Our General Public Licenses are designed to make sure that
you have the freedom to distribute copies of free software (and charge
for this service if you wish); that you receive source code or can get
it if you want it; that you can change the software and use pieces of
it in new free programs; and that you are informed that you can do
these things.
To protect your rights, we need to make restrictions that forbid
distributors to deny you these rights or to ask you to surrender these
rights. These restrictions translate to certain responsibilities for
you if you distribute copies of the library or if you modify it.
For example, if you distribute copies of the library, whether gratis
or for a fee, you must give the recipients all the rights that we gave
you. You must make sure that they, too, receive or can get the source
code. If you link other code with the library, you must provide
complete object files to the recipients, so that they can relink them
with the library after making changes to the library and recompiling
it. And you must show them these terms so they know their rights.
We protect your rights with a two-step method: (1) we copyright the
library, and (2) we offer you this license, which gives you legal
permission to copy, distribute and/or modify the library.
To protect each distributor, we want to make it very clear that
there is no warranty for the free library. Also, if the library is
modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.
Finally, software patents pose a constant threat to the existence of
any free program. We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
restrictive license from a patent holder. Therefore, we insist that
any patent license obtained for a version of the library must be
consistent with the full freedom of use specified in this license.
Most GNU software, including some libraries, is covered by the
ordinary GNU General Public License. This license, the GNU Lesser
General Public License, applies to certain designated libraries, and
is quite different from the ordinary General Public License. We use
this license for certain libraries in order to permit linking those
libraries into non-free programs.
When a program is linked with a library, whether statically or using
a shared library, the combination of the two is legally speaking a
combined work, a derivative of the original library. The ordinary
General Public License therefore permits such linking only if the
entire combination fits its criteria of freedom. The Lesser General
Public License permits more lax criteria for linking other code with
the library.
We call this license the "Lesser" General Public License because it
does Less to protect the user's freedom than the ordinary General
Public License. It also provides other free software developers Less
of an advantage over competing non-free programs. These disadvantages
are the reason we use the ordinary General Public License for many
libraries. However, the Lesser license provides advantages in certain
special circumstances.
For example, on rare occasions, there may be a special need to
encourage the widest possible use of a certain library, so that it becomes
a de-facto standard. To achieve this, non-free programs must be
allowed to use the library. A more frequent case is that a free
library does the same job as widely used non-free libraries. In this
case, there is little to gain by limiting the free library to free
software only, so we use the Lesser General Public License.
In other cases, permission to use a particular library in non-free
programs enables a greater number of people to use a large body of
free software. For example, permission to use the GNU C Library in
non-free programs enables many more people to use the whole GNU
operating system, as well as its variant, the GNU/Linux operating
system.
Although the Lesser General Public License is Less protective of the
users' freedom, it does ensure that the user of a program that is
linked with the Library has the freedom and the wherewithal to run
that program using a modified version of the Library.
The precise terms and conditions for copying, distribution and
modification follow. Pay close attention to the difference between a
"work based on the library" and a "work that uses the library". The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.
GNU LESSER GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License Agreement applies to any software library or other
program which contains a notice placed by the copyright holder or
other authorized party saying it may be distributed under the terms of
this Lesser General Public License (also called "this License").
Each licensee is addressed as "you".
A "library" means a collection of software functions and/or data
prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.
The "Library", below, refers to any such software library or work
which has been distributed under these terms. A "work based on the
Library" means either the Library or any derivative work under
copyright law: that is to say, a work containing the Library or a
portion of it, either verbatim or with modifications and/or translated
straightforwardly into another language. (Hereinafter, translation is
included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for
making modifications to it. For a library, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the library.
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running a program using the Library is not restricted, and output from
such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact
all the notices that refer to this License and to the absence of any
warranty; and distribute a copy of this License along with the
Library.
You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.
2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) The modified work must itself be a software library.
b) You must cause the files modified to carry prominent notices
stating that you changed the files and the date of any change.
c) You must cause the whole of the work to be licensed at no
charge to all third parties under the terms of this License.
d) If a facility in the modified Library refers to a function or a
table of data to be supplied by an application program that uses
the facility, other than as an argument passed when the facility
is invoked, then you must make a good faith effort to ensure that,
in the event an application does not supply such function or
table, the facility still operates, and performs whatever part of
its purpose remains meaningful.
(For example, a function in a library to compute square roots has
a purpose that is entirely well-defined independent of the
application. Therefore, Subsection 2d requires that any
application-supplied function or table used by this function must
be optional: if the application does not supply it, the square
root function must still compute square roots.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Library,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Library, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Library.
In addition, mere aggregation of another work not based on the Library
with the Library (or with a work based on the Library) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do
this, you must alter all the notices that refer to this License, so
that they refer to the ordinary GNU General Public License, version 2,
instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in
these notices.
Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.
This option is useful when you wish to copy part of the code of
the Library into a program that is not a library.
4. You may copy and distribute the Library (or a portion or
derivative of it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you accompany
it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange.
If distribution of object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the
source code from the same place satisfies the requirement to
distribute the source code, even though third parties are not
compelled to copy the source along with the object code.
5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library". Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.
However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library". The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.
When a "work that uses the Library" uses material from a header file
that is part of the Library, the object code for the work may be a
derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be
linked without the Library, or if the work is itself a library. The
threshold for this to be true is not precisely defined by law.
If such an object file uses only numerical parameters, data
structure layouts and accessors, and small macros and small inline
functions (ten lines or less in length), then the use of the object
file is unrestricted, regardless of whether it is legally a derivative
work. (Executables containing this object code plus portions of the
Library will still fall under Section 6.)
Otherwise, if the work is a derivative of the Library, you may
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.
6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.
You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by
this License. You must supply a copy of this License. If the work
during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference
directing the user to the copy of this License. Also, you must do one
of these things:
a) Accompany the work with the complete corresponding
machine-readable source code for the Library including whatever
changes were used in the work (which must be distributed under
Sections 1 and 2 above); and, if the work is an executable linked
with the Library, with the complete machine-readable "work that
uses the Library", as object code and/or source code, so that the
user can modify the Library and then relink to produce a modified
executable containing the modified Library. (It is understood
that the user who changes the contents of definitions files in the
Library will not necessarily be able to recompile the application
to use the modified definitions.)
b) Use a suitable shared library mechanism for linking with the
Library. A suitable mechanism is one that (1) uses at run time a
copy of the library already present on the user's computer system,
rather than copying library functions into the executable, and (2)
will operate properly with a modified version of the library, if
the user installs one, as long as the modified version is
interface-compatible with the version that the work was made with.
c) Accompany the work with a written offer, valid for at
least three years, to give the same user the materials
specified in Subsection 6a, above, for a charge no more
than the cost of performing this distribution.
d) If distribution of the work is made by offering access to copy
from a designated place, offer equivalent access to copy the above
specified materials from the same place.
e) Verify that the user has already received a copy of these
materials or that you have already sent this user a copy.
For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for
reproducing the executable from it. However, as a special exception,
the materials to be distributed need not include anything that is
normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies
the executable.
It may happen that this requirement contradicts the license
restrictions of other proprietary libraries that do not normally
accompany the operating system. Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.
7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
library, provided that the separate distribution of the work based on
the Library and of the other library facilities is otherwise
permitted, and provided that you do these two things:
a) Accompany the combined library with a copy of the same work
based on the Library, uncombined with any other library
facilities. This must be distributed under the terms of the
Sections above.
b) Give prominent notice with the combined library of the fact
that part of it is a work based on the Library, and explaining
where to find the accompanying uncombined form of the same work.
8. You may not copy, modify, sublicense, link with, or distribute
the Library except as expressly provided under this License. Any
attempt otherwise to copy, modify, sublicense, link with, or
distribute the Library is void, and will automatically terminate your
rights under this License. However, parties who have received copies,
or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.
9. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Library or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Library or works based on it.
10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.
11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all. For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply,
and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License may add
an explicit geographical distribution limitation excluding those countries,
so that distribution is permitted only in or among countries not thus
excluded. In such case, this License incorporates the limitation as if
written in the body of this License.
13. The Free Software Foundation may publish revised and/or new
versions of the Lesser General Public License from time to time.
Such new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Library
specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and
conditions either of that version or of any later version published by
the Free Software Foundation. If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.
14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission. For software which is
copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this. Our
decision will be guided by the two goals of preserving the free status
of all derivatives of our free software and of promoting the sharing
and reuse of software generally.
NO WARRANTY
15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Libraries
If you develop a new library, and you want it to be of the greatest
possible use to the public, we recommend making it free software that
everyone can redistribute and change. You can do so by permitting
redistribution under these terms (or, alternatively, under the terms of the
ordinary General Public License).
To apply these terms, attach the following notices to the library. It is
safest to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.
{description}
Copyright (C) {year} {fullname}
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA
Also add information on how to contact you by electronic and paper mail.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the library, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the
library `Frob' (a library for tweaking knobs) written by James Random
Hacker.
{signature of Ty Coon}, 1 April 1990
Ty Coon, President of Vice
That's all there is to it!
������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/bin/��������������������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�014021� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/bin/oscapd-evaluate�����������������������������������������������������������0000755�0001751�0000033�00000053656�13163222324�017043� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python
# Copyright 2016 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon import config as config_
from openscap_daemon import evaluation_spec
from openscap_daemon import oscap_helpers
from openscap_daemon import cli_helpers
from openscap_daemon import version
from openscap_daemon.evaluation_spec import ProfileSuffixMatchError
import os
import os.path
import logging
import argparse
import sys
import threading
import io
import json
import datetime
if sys.version_info < (3,):
import Queue
else:
import queue as Queue
def cli_xml(args, config):
spec = evaluation_spec.EvaluationSpec()
spec.load_from_xml_file(args.path)
results, stdout, stderr, exit_code = spec.evaluate(config)
if args.results is not None:
args.results.write(results)
args.results.close()
if args.stdout is not None:
args.stdout.write(stdout)
args.stdout.close()
if args.stderr is not None:
args.stderr.write(stderr)
args.stderr.close()
sys.exit(exit_code)
def cli_spec(args, config):
spec = evaluation_spec.EvaluationSpec()
spec.mode = oscap_helpers.EvaluationMode.from_string(args.mode)
spec.target = args.target
if spec.mode not in [oscap_helpers.EvaluationMode.CVE_SCAN,
oscap_helpers.EvaluationMode.STANDARD_SCAN]:
spec.input_.set_contents(args.input_.read())
if args.tailoring is not None:
spec.tailoring.set_contents(args.tailoring.read())
spec.profile_id = args.profile
spec.online_remediation = args.remediate
if args.print_xml:
print(spec.to_xml_source())
sys.exit(0)
else:
results, stdout, stderr, exit_code = spec.evaluate(config)
if args.results is not None:
args.results.write(results)
args.results.close()
if args.stdout is not None:
args.stdout.write(stdout)
args.stdout.close()
if args.stderr is not None:
args.stderr.write(stderr)
args.stderr.close()
sys.exit(exit_code)
def cli_scan(args, config):
assert(os.path.isdir(args.output))
output_dir_map = {}
targets = cli_helpers.preprocess_targets(args.targets, output_dir_map)
queue = Queue.Queue(len(targets))
for target in targets:
queue.put_nowait(target)
scanned_targets = []
failed_targets = []
def scan_worker():
while True:
try:
target = queue.get(False)
if len(failed_targets) > 0:
failed_targets.append(target)
queue.task_done()
continue
cve_results = None
cve_last_updated = None
standard_scan_results = None
logging.debug("Started scanning target '%s'", target)
started_time = None
finished_time = None
try:
started_time = datetime.datetime.now()
cpes = []
try:
cpes = evaluation_spec.EvaluationSpec.\
detect_CPEs_of_target(target, config)
except:
logging.exception(
"Failed to detect CPEs of target '%s'. "
"Assuming no CPEs..." % (target)
)
if not args.no_cve_scan:
es = evaluation_spec.EvaluationSpec()
es.mode = oscap_helpers.EvaluationMode.CVE_SCAN
es.target = target
es.cpe_hints = cpes
try:
cve_results, stdout, stderr, exit_code = \
es.evaluate(config)
if exit_code == 1:
logging.warning(
"CVE scan of target '%s' failed with "
"exit_code %i.\n\nstdout:%s\n\nstderr:%s" %
(target, exit_code, stdout, stderr)
)
except:
logging.exception(
"Failed to scan target '%s' for "
"vulnerabilities." % (target)
)
try:
cve_last_updated = config.cve_feed_manager.\
get_cve_feed_last_updated(cpes)
except:
# this is not a crucial part of evaluation, the
# last modified date can be unknown.
pass
if not args.no_standard_compliance:
es = evaluation_spec.EvaluationSpec()
es.mode = oscap_helpers.EvaluationMode.STANDARD_SCAN
es.target = target
es.cpe_hints = cpes
ssg_sds = config.get_ssg_sds(cpes)
es.input_.set_file_path(ssg_sds)
try:
args.profile = es.select_profile_by_suffix(args.profile)
except ProfileSuffixMatchError as e:
logging.error(
"Failed to find profile matching suffix '%s' "
"in profiles applicable to target '%s': %s"
% (args.profile, target, e.message)
)
raise RuntimeError
try:
standard_scan_results, stdout, stderr, exit_code = \
es.evaluate(config)
if exit_code == 1:
logging.warning(
"Configuration compliance scan of target '%s' "
"using profile '%s' "
"failed with exit_code %i.\n\nstdout:%s\n\n"
"stderr:%s" %
(target, es.profile_id, exit_code, stdout, stderr)
)
except:
logging.exception(
"Failed to scan target '%s' for "
"configuration compliance." % (target)
)
finished_time = datetime.datetime.now()
except Exception as e:
logging.exception(e)
failed_targets.append(target)
queue.task_done()
scanned_targets.append(
(target, cve_results, cve_last_updated,
standard_scan_results, started_time, finished_time)
)
percent = "{0:6.2f}%".format(
float(len(scanned_targets) * 100) / len(targets)
)
logging.info("[%s] Scanned target '%s'", percent, target)
except Queue.Empty:
break
assert(args.jobs > 0)
workers = []
for worker_id in range(args.jobs):
worker = threading.Thread(
name="Atomic scan worker #%i" % (worker_id),
target=scan_worker
)
workers.append(worker)
worker.start()
try:
queue.join()
except KeyboardInterrupt:
failed_targets.append(None)
for worker in workers:
worker.join()
sys.stderr.write("Evaluation interrupted by user!\n")
if len(failed_targets) > 0:
sys.stderr.write(
"Fatal error encountered while evaluating! Failed to evaluate "
"at least %i targets!\n" % (len(failed_targets) - 1)
)
for target, cve_results, cve_last_updated, standard_scan_results, \
started_time, finished_time in scanned_targets:
output_dir = ""
if target in output_dir_map:
output_dir = output_dir_map[target]
else:
output_dir = target
output_dir = output_dir.replace(":", "_")
output_dir = output_dir.replace("/", "_")
json_target = target
if json_target.startswith("chroot://"):
json_target = json_target[len("chroot://"):]
json_data = {}
json_data["UUID"] = json_target
json_data["Scanner"] = "openscap"
json_data["Time"] = started_time.strftime("%Y-%m-%dT%H:%M:%S") \
if started_time is not None else "unknown"
json_data["Finished Time"] = \
finished_time.strftime("%Y-%m-%dT%H:%M:%S") \
if finished_time is not None else "unknown"
if cve_results is not None:
json_data["CVE Feed Last Updated"] = \
cve_last_updated.strftime("%Y-%m-%dT%H:%M:%S") \
if cve_last_updated is not None else "unknown"
json_data["Vulnerabilities"] = []
if (args.no_cve_scan or cve_results) and \
(args.no_standard_compliance or standard_scan_results):
json_data["Successful"] = "true"
else:
json_data["Successful"] = "false"
scan_type = []
full_output_dir = os.path.join(args.output, output_dir)
try:
os.makedirs(full_output_dir)
except OSError as e:
if e.errno != 17: # it's fine if it already exists
raise
if cve_results is not None:
scan_type.append("CVE")
cli_helpers.summarize_cve_results(
cve_results, json_data["Vulnerabilities"]
)
with io.open(os.path.join(
full_output_dir, "cve.xml"), "w",
encoding="utf-8") as f:
f.write(cve_results)
if standard_scan_results is not None:
scan_type.append("Configuration Compliance")
cli_helpers.summarize_standard_compliance_results(
standard_scan_results, json_data["Vulnerabilities"], args.profile
)
json_data["Profile"] = args.profile
arf_filepath = os.path.join(full_output_dir, "arf.xml")
with io.open(arf_filepath, "w", encoding="utf-8") as f:
f.write(standard_scan_results)
if args.fix_type is not None:
fix_script = oscap_helpers.generate_fix_for_result(config, arf_filepath, args.fix_type)
suffixes = {"bash": "sh", "ansible": "yml", "puppet": "pp"}
fix_name = "fix." + suffixes[args.fix_type]
fix_filepath = os.path.join(full_output_dir, fix_name)
with io.open(fix_filepath, "w", encoding="utf-8") as f:
f.write(fix_script)
if args.report:
report = oscap_helpers.generate_html_report_for_result(config, arf_filepath)
report_filepath = os.path.join(full_output_dir, "report.html")
with io.open(report_filepath, "w", encoding="utf-8") as f:
f.write(report)
json_data["Scan Type"] = ", ".join(scan_type)
with open(os.path.join(
full_output_dir, "json"), "w") as f:
json.dump(json_data, f, indent=2)
def main():
parser = argparse.ArgumentParser(
description="OpenSCAP-Daemon one-off evaluator."
)
parser.add_argument(
"-v", "--version", action="version",
version="%(prog)s " + version.VERSION_STRING
)
parser.add_argument("--verbose",
help="be verbose, useful for debugging",
action="store_true")
subparsers = parser.add_subparsers(dest="action")
subparsers.required = True
config_parser = subparsers.add_parser(
"config",
help="Start with default configuration, auto-detect tool and content "
"locations and output the resulting INI results into stdout or "
"given file path"
)
config_parser.add_argument(
"--path", metavar="PATH", type=argparse.FileType("w"),
default=sys.stdout,
help="Destination where the config file will be written, defaults to "
"stdout."
)
xml_parser = subparsers.add_parser(
"xml",
help="Evaluate an EvaluationSpec passed as an XML, either to stdin or "
"as a file."
)
xml_parser.add_argument(
"--path", metavar="PATH", type=argparse.FileType("r"),
default=sys.stdin,
help="The input Evaluation Spec XML file. Defaults to stdin."
)
xml_parser.add_argument(
"--results", metavar="PATH", type=argparse.FileType("w"),
help="Write ARF (result datastream) or OVAL results XML to this file."
)
xml_parser.add_argument(
"--stdout", metavar="PATH", type=argparse.FileType("w"),
help="Write stdout from oscap tool to this file."
)
xml_parser.add_argument(
"--stderr", metavar="PATH", type=argparse.FileType("w"),
help="Write stderr from oscap tool to this file."
)
spec_parser = subparsers.add_parser(
"spec",
help="Evaluate an EvaluationSpec created using arguments passed on "
"the command line."
)
spec_parser.add_argument(
"--mode", type=str,
choices=["sds", "oval", "cve_scan", "standard_scan"],
default="sds",
help="Evaluation mode for the EvaluationSpec. 'sds' evaluates input as "
"a source datastream. 'oval' evaluates it as an OVAL file. 'cve_scan' "
"is a special mode that automatically uses the right CVE feed as OVAL "
"file. 'standard_scan' uses the right SSG content and standard profile "
"based on OS of the scanned system."
)
spec_parser.add_argument(
"--target", type=str,
default="localhost",
help="Which target should we be evaluating. Possible choices include: "
"'localhost', 'ssh://user@machine', 'docker-image://IMAGE_ID', "
"'docker-container://CONTAINER_ID', 'vm-domain://VM_NAME', "
"'vm-image:///path/to/image.qcow2', 'chroot:///path/to/chroot'."
)
spec_parser.add_argument(
"--input", metavar="PATH", dest="input_",
type=lambda path: io.open(path, "r", encoding="utf-8"),
default=sys.stdin,
help="Depending on --mode this should be a source datastream or OVAL "
"file. In cve_scan and standard_scan mode the --input is not used."
)
spec_parser.add_argument(
"--tailoring", metavar="PATH",
type=lambda path: io.open(path, "r", encoding="utf-8"),
help="XCCDF tailoring file. Only used in 'sds' mode."
)
spec_parser.add_argument(
"--profile", type=str,
default="",
help="ID of the XCCDF profile to use. Only used in 'sds' mode. Empty "
"string is the default and that means the (default) profile."
)
spec_parser.add_argument(
"--remediate", default=False, action="store_true",
help="Perform remediation for failed rules after the scan. Only used "
"in 'sds' and 'standard_scan' modes."
)
spec_parser.add_argument(
"--print-xml",
dest="print_xml",
action="store_true",
help="Don't evaluate the EvaluationSpec, just print its XML to stdout"
)
spec_parser.add_argument(
"--results", metavar="PATH",
type=lambda path: io.open(path, "w", encoding="utf-8"),
help="Write OVAL results or ARF result datastream (depending on mode) "
"to this location."
)
spec_parser.add_argument(
"--stdout", metavar="PATH",
type=lambda path: io.open(path, "w", encoding="utf-8"),
help="Write stdout from oscap tool to this file."
)
spec_parser.add_argument(
"--stderr", metavar="PATH",
type=lambda path: io.open(path, "w", encoding="utf-8"),
help="Write stderr from oscap tool to this file."
)
target_cpes_parser = subparsers.add_parser(
"target-cpes",
help="Detect CPEs applicable on given target"
)
target_cpes_parser.add_argument(
"--target", type=str,
default="localhost",
help="Which target should we be checking. Possible choices include: "
"'localhost', 'ssh://user@machine', 'docker-image://IMAGE_ID', "
"'docker-container://CONTAINER_ID', 'vm-domain://VM_NAME', "
"'vm-image:///path/to/image.qcow2', 'chroot:///path/to/chroot'."
)
target_profiles_parser = subparsers.add_parser(
"target-profiles",
help="Detect SCAP Security Guide profiles applicable on given target"
)
target_profiles_parser.add_argument(
"--target", type=str,
default="localhost",
help="Which target should we be checking. Possible choices include: "
"'localhost', 'ssh://user@machine', 'docker-image://IMAGE_ID', "
"'docker-container://CONTAINER_ID', 'vm-domain://VM_NAME', "
"'vm-image:///path/to/image.qcow2', 'chroot:///path/to/chroot'."
)
scan_parser = subparsers.add_parser(
"scan",
help="Scan a list of targets for CVEs and configuration compliance, "
"return aggregated results. This is an integration shim "
"intended for Atomic but can also be useful elsewhere."
)
scan_parser.add_argument(
"--targets", type=str, nargs="+",
default=["localhost"],
help="Which target(s) should we be scanning. Possible choices include: "
"'localhost', 'ssh://user@machine', 'docker-image://IMAGE_ID', "
"'docker-container://CONTAINER_ID', 'vm-domain://VM_NAME', "
"'vm-image:///path/to/image.qcow2', 'chroot:///path/to/chroot', "
"'chroots-in-dir:///path/to/chroots'. "
"Delimited by spaces."
)
scan_parser.add_argument(
"-j", "--jobs", type=int,
default=4,
help="How many worker jobs should scan in parallel."
)
scan_parser.add_argument(
"--no-cve-scan", default=False, action="store_true",
dest="no_cve_scan",
help="Skip the CVE scan."
)
scan_parser.add_argument(
# keeping the alias for compatibility with Atomic
"--no-configuration-compliance", "--no-standard-compliance", default=False, action="store_true",
dest="no_standard_compliance",
help="Skip the configuration compliance scan."
)
scan_parser.add_argument(
"--profile", type=str,
default="xccdf_org.ssgproject.content_profile_standard",
help="Specify the profile ID for configuration compliance scan. "
"If not specified, the 'standard' profile will be used."
)
scan_parser.add_argument(
"--output", type=str, required=True,
help="A directory where results will be stored in. There will be a "
"directory for each target created there with up to 4 files. 'json' "
"with json summary of the scan, cve.xml with CVE scan raw results, "
"arf.xml with configuration compliance scan raw results, and "
"fix.[sh|yml|pp] with a compliance remediation script."
)
scan_parser.add_argument(
"--fix_type", type=str,
choices=["bash", "ansible", "puppet"], default=None,
help="Specify the language of remediation script to be used."
)
scan_parser.add_argument(
"--report", action="store_true", default=False,
help="Create HTML report in the output directory."
)
args = parser.parse_args()
logging.basicConfig(format='%(levelname)s:%(message)s',
level=logging.DEBUG if args.verbose else logging.INFO)
logging.info("OpenSCAP Daemon one-off evaluator %s", version.VERSION_STRING)
if args.action == "config":
config = config_.Configuration()
config.autodetect_tool_paths()
config.autodetect_content_paths()
config.save_as(args.path)
sys.exit(0)
config_file = os.path.join("/", "etc", "oscapd", "config.ini")
if "OSCAPD_CONFIG_FILE" in os.environ:
config_file = os.environ["OSCAPD_CONFIG_FILE"]
config = config_.Configuration()
config.load(config_file)
config.autodetect_tool_paths()
config.autodetect_content_paths()
config.prepare_dirs(cleanup_allowed=False)
try:
config.sanity_check()
except:
logging.exception("Configuration file failed sanity checking!")
sys.exit(1)
if args.action == "xml":
cli_xml(args, config)
elif args.action == "spec":
cli_spec(args, config)
elif args.action == "target-cpes":
cpes = evaluation_spec.EvaluationSpec.detect_CPEs_of_target(
args.target, config
)
print("\n".join(cpes))
sys.exit(0)
elif args.action == "target-profiles":
cpes = evaluation_spec.EvaluationSpec.detect_CPEs_of_target(
args.target, config
)
ssg_sds = config.get_ssg_sds(cpes)
print("Security profiles applicable on target " + args.target + ":")
profiles = oscap_helpers.get_profile_choices_for_input(ssg_sds, None)
for profile_id, title in profiles.items():
if profile_id:
print(title + " (id='" + profile_id + "')")
else:
print("Default Profile")
sys.exit(0)
elif args.action == "scan":
cli_scan(args, config)
if __name__ == "__main__":
main()
����������������������������������������������������������������������������������openscap-daemon-0.1.8/bin/oscapd-cli����������������������������������������������������������������0000755�0001751�0000033�00000070352�13163222324�015774� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon import dbus_utils
from openscap_daemon import oscap_helpers
from openscap_daemon import cli_helpers
from openscap_daemon import version
import dbus
import sys
import argparse
from datetime import datetime
import os.path
import json
import time
import io
if sys.version_info < (3,):
import gobject
else:
from gi.repository import GObject as gobject
try:
import Atomic.util
atomic_support = True
except:
atomic_support = False
class TaskAccessor(object):
def __init__(self):
self._attributes = dict()
@staticmethod
def get_bool(values):
TaskAccessor._expect_param_len(values, 1)
bool_val = get_bool(values[0])
return [bool_val,]
@staticmethod
def get_int(values):
TaskAccessor._expect_param_len(values, 1)
return [int(values[0])]
@staticmethod
def _expect_param_len(values, expected):
length = len(values)
if length != expected:
raise ValueError(
"Expected %d parameters, but %d were provided." %
(expected, length)
)
@staticmethod
def get_string(values):
TaskAccessor._expect_param_len(values, 1)
return [values[0]]
def add_accessor(self, key, dbus_getter, dbus_setter, check=None, result_processor=None):
self.add_getter(key, dbus_getter, result_processor)
self.add_setter(key, dbus_setter, check)
def add_getter(self, key, dbus_getter, result_processor=None):
self._attributes["get-%s" % key] = (dbus_getter, None, result_processor)
def add_setter(self, key, dbus_setter, check=None):
self._attributes["set-%s" % key] = (dbus_setter, check, None)
def eval(self, dbus_iface, key, task_id, args):
record = self._attributes[key]
method_name = record[0]
cast_func = record[1]
result_func = record[2]
if cast_func:
casted_args = cast_func(args)
else:
casted_args = TaskAccessor.get_string(args)
casted_args.insert(0, task_id)
dbus_method = getattr(dbus_iface, method_name)
res = dbus_method(*casted_args)
if result_func:
result_func(res)
def __contains__(self, key):
return key in self._attributes
def get_allowed(self):
return self._attributes.keys()
def get_dbus_interface():
bus = dbus_utils.get_dbus()
if bus is None:
return None
obj = bus.get_object(
dbus_utils.BUS_NAME,
dbus_utils.OBJECT_PATH
)
if obj is None:
return None
return dbus.Interface(obj, dbus_utils.DBUS_INTERFACE)
def cli_status(dbus_iface, args):
async_status = dbus_iface.GetAsyncActionsStatus()
print(async_status)
def cli_eval(dbus_iface, args):
eval_spec = cli_helpers.cli_create_evaluation_spec(dbus_iface)
if eval_spec is not None:
token = dbus_iface.EvaluateSpecXMLAsync(eval_spec.to_xml_source())
try:
print("Evaluating...")
while True:
success, arf, stdout, stderr, exit_code = \
dbus_iface.GetEvaluateSpecXMLAsyncResults(token)
if success:
if args.results_arf:
args.results_arf.write(arf)
args.results_arf.close()
if args.stdout:
args.stdout.write(stdout)
args.stdout.close()
if args.stderr:
args.stderr.write(stderr)
args.stderr.close()
# TODO: show the results
break
time.sleep(1)
except:
dbus_iface.CancelEvaluateSpecXMLAsync(token)
raise
def cli_print_results_table(dbus_iface, task_id, result_ids,
max_items=sys.maxsize):
table = [["ID", "Timestamp", "Status"]]
for result_id in result_ids[:max_items]:
exit_code = dbus_iface.GetExitCodeOfTaskResult(
task_id, result_id
)
status = oscap_helpers.get_status_from_exit_code(exit_code)
timestamp = dbus_iface.GetResultCreatedTimestamp(task_id, result_id)
table.append([str(result_id), datetime.fromtimestamp(timestamp), status])
cli_helpers.print_table(table)
if max_items < len(result_ids):
print("... and %i more" % (len(result_ids) - max_items))
def cli_task(dbus_iface, task_accessor, args):
if args.task_id is None:
# args.task_action is ignored in this scope
table = [["ID", "Title", "Target", "Modified", "Enabled"]]
task_ids = dbus_iface.ListTaskIDs()
enabled_count = 0
for task_id in task_ids:
title = dbus_iface.GetTaskTitle(task_id)
target = dbus_iface.GetTaskTarget(task_id)
modified_timestamp = dbus_iface.GetTaskModifiedTimestamp(task_id)
modified = datetime.fromtimestamp(modified_timestamp)
enabled = dbus_iface.GetTaskEnabled(task_id)
if enabled:
enabled_count += 1
table.append([
str(task_id),
title,
target,
modified,
# TODO: Maybe we can show the disabled state in a better way?
"enabled" if enabled else "disabled"
])
cli_helpers.print_table(table)
print("")
print("Found %i tasks, %i of them enabled." %
(len(task_ids), enabled_count))
else:
if args.task_action == "info":
title = dbus_iface.GetTaskTitle(args.task_id)
target = dbus_iface.GetTaskTarget(args.task_id)
created_timestamp = dbus_iface.GetTaskCreatedTimestamp(args.task_id)
created = datetime.fromtimestamp(created_timestamp)
modified_timestamp = dbus_iface.GetTaskModifiedTimestamp(args.task_id)
modified = datetime.fromtimestamp(modified_timestamp)
table = []
table.append(["Title", title])
table.append(["ID", str(args.task_id)])
table.append(["Target", target])
table.append(["Created", created])
table.append(["Modified", modified])
cli_helpers.print_table(table, first_row_header=False)
print("")
result_ids = dbus_iface.GetTaskResultIDs(args.task_id)
if len(result_ids) > 0:
print("Latest results:")
cli_print_results_table(dbus_iface, args.task_id, result_ids, 5)
print("")
if not dbus_iface.GetTaskEnabled(args.task_id):
print("This task is currently disabled. Enable it by calling:")
print("$ oscapd-cli task %i enable" % (args.task_id))
# TODO
elif args.task_action == "guide":
guide = dbus_iface.GenerateGuideForTask(args.task_id)
print(guide)
elif args.task_action == "bash_fix":
fix = dbus_iface.GenerateFixForTask(args.task_id, "bash")
print(fix)
elif args.task_action == "ansible_fix":
fix = dbus_iface.GenerateFixForTask(args.task_id, "ansible")
print(fix)
elif args.task_action == "puppet_fix":
fix = dbus_iface.GenerateFixForTask(args.task_id, "puppet")
print(fix)
elif args.task_action == "run":
dbus_iface.RunTaskOutsideSchedule(args.task_id)
elif args.task_action == "enable":
dbus_iface.SetTaskEnabled(args.task_id, True)
elif args.task_action == "disable":
dbus_iface.SetTaskEnabled(args.task_id, False)
elif args.task_action == "remove":
if args.force or confirm("Do you really want to delete task with ID %i?" % args.task_id):
dbus_iface.RemoveTask(args.task_id, args.remove_results)
elif args.task_action in task_accessor:
try:
task_accessor.eval(
dbus_iface, args.task_action, args.task_id,
args.parameters[0]
)
except ValueError as e:
sys.stderr.write("%s\n" % (e))
sys.exit(1)
else:
# throwing exception here, this code should never be executed if
# argparse does its job
raise RuntimeError("Unknown action '%s'." % (args.task_action))
def cli_task_create(dbus_iface, args):
if args.interactive:
print("Creating new task in interactive mode")
title = cli_helpers.py2_raw_input("Title: ")
target = cli_helpers.py2_raw_input("Target (empty for localhost): ")
if not target:
target = "localhost"
input_ssg_choice = ""
ssg_choices = dbus_iface.GetSSGChoices()
if ssg_choices:
print("Found the following SCAP Security Guide content: ")
for i, ssg_choice in enumerate(ssg_choices):
print("\t%i: %s" % (i + 1, ssg_choice))
input_file = None
input_ssg_choice = cli_helpers.py2_raw_input(
"Choose SSG content by number (empty for custom content): ")
if not input_ssg_choice:
input_file = cli_helpers.py2_raw_input("Input file (absolute path): ")
else:
input_file = ssg_choices[int(input_ssg_choice) - 1]
if not input_file:
sys.stderr.write(
"You have to provide an SCAP input file for the task!\n"
)
sys.exit(1)
if not os.path.isabs(input_file):
sys.stderr.write(
"'%s' is not an absolute path. Please provide the absolute "
"path that can be used to access the SCAP content on the "
"machine running openscap-daemon.\n" % (input_file)
)
sys.exit(1)
tailoring_file = cli_helpers.py2_raw_input(
"Tailoring file (absolute path, empty for no tailoring): ")
if tailoring_file in [None, ""]:
tailoring_file = ""
else:
if not os.path.isabs(tailoring_file):
sys.stderr.write(
"'%s' is not an absolute path. Please provide the absolute "
"path that can be used to access the tailoring file on the "
"machine running openscap-daemon.\n" % (tailoring_file)
)
sys.exit(1)
print("Found the following possible profiles: ")
profile_choices = dbus_iface.GetProfileChoicesForInput(
input_file, tailoring_file
)
for i, (key, value) in enumerate(profile_choices.items()):
print("\t%i: %s (id='%s')" % (i + 1, value, key))
profile_choice = cli_helpers.py2_raw_input(
"Choose profile by number (empty for (default) profile): ")
if profile_choice:
profile = list(profile_choices.keys())[int(profile_choice) - 1]
else:
profile = ""
online_remediation_raw = \
cli_helpers.py2_raw_input(
"Online remediation (1, y or Y for yes, else no): "
)
try:
online_remediation = get_bool(online_remediation_raw, default=False)
except ValueError:
pass
print("Schedule: ")
schedule_not_before = None
schedule_not_before_str = \
cli_helpers.py2_raw_input(
" - not before (YYYY-MM-DD HH:MM in UTC, empty for NOW): "
)
if schedule_not_before_str == "":
schedule_not_before = datetime.now()
else:
schedule_not_before = datetime.strptime(
schedule_not_before_str, "%Y-%m-%d %H:%M"
)
schedule_repeat_after = None
schedule_repeat_after_str = \
cli_helpers.py2_raw_input(
" - repeat after (hours or @daily, @weekly, @monthly, "
"empty or 0 for no repeat): "
)
schedule_repeat_after = 0
if not schedule_repeat_after_str:
pass # empty means no repeat
elif schedule_repeat_after_str == "@daily":
schedule_repeat_after = 1 * 24
elif schedule_repeat_after_str == "@weekly":
schedule_repeat_after = 7 * 24
elif schedule_repeat_after_str == "@monthly":
schedule_repeat_after = 30 * 24
else:
schedule_repeat_after = int(schedule_repeat_after_str)
# most users need just drop_missed_aligned, we will not offer the
# other options here
# schedule_slip_mode = task.SlipMode.DROP_MISSED_ALIGNED
task_id = dbus_iface.CreateTask()
dbus_iface.SetTaskTitle(task_id, title)
dbus_iface.SetTaskTarget(task_id, target)
dbus_iface.SetTaskInput(task_id, input_file)
dbus_iface.SetTaskTailoring(task_id, tailoring_file)
dbus_iface.SetTaskProfileID(task_id, profile)
dbus_iface.SetTaskOnlineRemediation(task_id, online_remediation)
dbus_iface.SetTaskScheduleNotBefore(
task_id, schedule_not_before.strftime("%Y-%m-%dT%H:%M")
)
dbus_iface.SetTaskScheduleRepeatAfter(task_id, schedule_repeat_after)
print(
"Task created with ID '%i'. It is currently set as disabled. "
"You can enable it with `oscapd-cli task %i enable`." %
(task_id, task_id)
)
# TODO: Setting Schedule SlipMode
else:
raise NotImplementedError("Not yet!")
def cli_result(dbus_iface, args):
if args.result_id is None:
task_title = dbus_iface.GetTaskTitle(args.task_id)
print("Results of Task \"%s\", ID = %i" % (task_title, args.task_id))
print("")
result_ids = dbus_iface.GetTaskResultIDs(args.task_id)
cli_print_results_table(dbus_iface, args.task_id, result_ids)
elif args.result_id == "remove":
if args.force or confirm("Do you really want to remove all results of task %d"
% args.task_id):
dbus_iface.RemoveTaskResults(args.task_id)
else:
if args.result_action == "arf":
arf = dbus_iface.GetARFOfTaskResult(args.task_id, args.result_id)
print(arf)
elif args.result_action == "stdout":
stdout = dbus_iface.GetStdOutOfTaskResult(
args.task_id, args.result_id
)
print(stdout)
elif args.result_action == "stderr":
stderr = dbus_iface.GetStdErrOfTaskResult(
args.task_id, args.result_id
)
print(stderr)
elif args.result_action == "exit_code":
exit_code = dbus_iface.GetExitCodeOfTaskResult(
args.task_id, args.result_id
)
print("%i" % (exit_code))
elif args.result_action == "report":
report = dbus_iface.GenerateReportForTaskResult(
args.task_id, args.result_id
)
print(report)
elif args.result_action == "bash_fix":
fix = dbus_iface.GenerateFixForTaskResult(
args.task_id, args.result_id, "bash"
)
print(fix)
elif args.result_action == "ansible_fix":
fix = dbus_iface.GenerateFixForTaskResult(
args.task_id, args.result_id, "ansible"
)
print(fix)
elif args.result_action == "puppet_fix":
fix = dbus_iface.GenerateFixForTaskResult(
args.task_id, args.result_id, "puppet"
)
print(fix)
elif args.result_action == "remove":
if args.force or confirm("Do you really want to remove result %d from task %d"
% (args.result_id, args.task_id)):
dbus_iface.RemoveTaskResult(args.task_id, args.result_id)
else:
raise RuntimeError(
"Unknown result action '%s'." % (args.result_action)
)
def cli_scan(dbus_iface, args):
if args.fetch_cves is None:
fetch_cve = 2 # use defaults
elif args.fetch_cves:
fetch_cve = 1 # disable
else:
fetch_cve = 0 # enable
threads_count = 4
scan_targets = []
any_target_specified = False
if args.all or args.images:
images = json.loads(dbus_iface.images())
images_ids = [str(image["Id"]) for image in images]
scan_targets.extend(images_ids)
any_target_specified = True
if args.all or args.containers:
containers = json.loads(dbus_iface.containers())
container_ids = [str(container["Id"]) for container in containers]
scan_targets.extend(container_ids)
any_target_specified = True
if args.scan_targets:
scan_targets.extend(args.scan_targets) # todo do check if targets are valid
any_target_specified = True
if not any_target_specified:
raise RuntimeError("No scan target")
token = dbus_iface.CVEScanListAsync(
scan_targets, threads_count, fetch_cve
)
try:
print("Processing...")
while True:
success, scan_results = dbus_iface.GetCVEScanListAsyncResults(token)
if success:
break
time.sleep(1)
except:
dbus_iface.CancelCVEScanListAsync(token)
raise
if args.json:
print(scan_results)
else:
json_parsed = json.loads(scan_results)
if args.detail:
clean = Atomic.util.print_detail_scan_summary(
json_parsed
)
else:
if args.scan_targets:
raise NotImplemented(
"This type of output is not implemented"
"for specified targets.\n"
)
clean = Atomic.util.print_scan_summary(
json_parsed, scan_targets
)
if not clean:
sys.exit(1)
def get_bool(val, default=False):
val = val.lower()
if not val:
return default
if val in ['n', '0', 'false', 'no']:
return False
if val in ['y', '1', 'true', 'yes']:
return True
raise ValueError("'%s' is not valid value, use y/n instead." % (val))
def confirm(prompt, default=False):
options = "Y/n" if default else "y/N"
while True:
try:
res = cli_helpers.py2_raw_input("%s [%s]: " % (prompt, options))
return get_bool(res, default)
except ValueError:
continue
except EOFError:
sys.stderr.write("Operation aborted.\n")
return default
def main():
parser = argparse.ArgumentParser(
description="OpenSCAP-Daemon command line interface."
)
parser.add_argument(
"-v", "--version", action="version",
version="%(prog)s " + version.VERSION_STRING
)
subparsers = parser.add_subparsers(dest="action")
subparsers.required = True
task_accessor = TaskAccessor()
task_accessor.add_setter("enabled",
"SetTaskEnabled",
TaskAccessor.get_bool)
task_accessor.add_setter("title", "SetTaskTitle")
task_accessor.add_setter("target", "SetTaskTarget")
task_accessor.add_setter("input", "SetTaskInput")
task_accessor.add_setter("tailoring", "SetTaskTailoring")
task_accessor.add_setter("profile-id", "SetTaskProfileID")
task_accessor.add_setter("online-remediation",
"SetTaskOnlineRemediation",
TaskAccessor.get_bool)
task_accessor.add_setter("schedule-not-before", "SetTaskScheduleNotBefore")
task_accessor.add_setter("schedule-repeat-after",
"SetTaskScheduleRepeatAfter",
TaskAccessor.get_int)
def add_eval_parser(subparsers):
eval_parser = subparsers.add_parser(
"eval",
help="Interactive one-off evaluation of any target supported by "
"OpenSCAP Daemon"
)
eval_parser.add_argument(
"--results-arf", dest="results_arf",
type=lambda path: io.open(path, "w", encoding="utf-8"),
help="Write ARF (result data stream) into file on this path."
)
eval_parser.add_argument(
"--stdout",
type=lambda path: io.open(path, "w", encoding="utf-8"),
help="Write stdout from oscap into file on this path."
)
eval_parser.add_argument(
"--stderr",
type=lambda path: io.open(path, "w", encoding="utf-8"),
help="Write stderr from oscap into file on this path."
)
# todo non-interactive
add_eval_parser(subparsers)
def add_task_parser(subparsers, task_accessor):
task_parser = subparsers.add_parser(
"task",
help="Show info about tasks that have already been defined. "
"Perform operations on already defined tasks."
)
task_parser.add_argument(
"task_id", metavar="TASK_ID", type=int, nargs="?",
help="ID of the task to display, or perform action on. If none is "
"provided a summary of all tasks is displayed."
)
task_actions = ["info", "guide", "run", "enable", "disable", "remove",
"bash_fix", "ansible_fix", "puppet_fix"]
task_actions += task_accessor.get_allowed()
task_parser.add_argument(
"task_action", metavar="ACTION", type=str,
choices=task_actions,
help="Which action to perform on selected task. Use one of " +
", ".join(task_actions),
default="info", nargs="?"
)
task_parser.add_argument(
"parameters", metavar="parameter", action="append", nargs="*",
help="Parameters for the ACTION. For setter actions this is the "
"string that you want to set. Some actions, such as enable, remove, "
"... don't require any parameters."
)
task_parser.add_argument(
"-f", "--force", help="remove task without confirmation",
action="store_true"
)
task_parser.add_argument(
"-r", "--remove-results", help="remove with results",
action="store_true"
)
add_task_parser(subparsers, task_accessor)
def add_task_create_parser(subparsers):
task_create_parser = subparsers.add_parser(
"task-create",
help="Create new task."
)
task_create_parser.add_argument(
"-i", "--interactive", action="store_true", dest="interactive", required=True
)
add_task_create_parser(subparsers)
def add_status_parser(subparsers):
status_parser = subparsers.add_parser(
"status",
help="Displays status, tasks that are planned and tasks that are "
"being evaluated."
)
add_status_parser(subparsers)
def result_id_or_action(val):
if val == "remove":
return "remove"
try:
return int(val)
except ValueError:
raise argparse.ArgumentTypeError("'%s' is not \"remove\" or integer"
% (val))
def add_result_parser(subparsers):
result_parser = subparsers.add_parser(
"result",
help="Displays info about past results"
)
result_parser.add_argument(
"task_id", metavar="TASK_ID", type=int
)
result_parser.add_argument(
"result_id", metavar="RESULT_ID", type=result_id_or_action, nargs="?",
help="ID of the result we want to interact with, if none is "
"provided a summary of all results of given task is displayed."
)
result_actions = [
"arf", "stdout", "stderr", "exit_code", "report", "remove",
"bash_fix", "ansible_fix", "puppet_fix"
]
result_parser.add_argument(
"result_action", metavar="ACTION", type=str,
choices=result_actions,
help="Which action to perform on selected result. Use one of " +
", ".join(result_actions),
default="arf", nargs="?",
)
result_parser.add_argument(
"-f", "--force", help="remove results without confirmation",
action="store_true"
)
add_result_parser(subparsers)
def add_scan_parser(subparsers):
scan_parser = subparsers.add_parser(
"scan", help="scan an image or container for CVEs",
epilog="atomic scan scans a container or image for CVEs"
)
scan_parser.add_argument(
"scan_targets", nargs='*', help="container image"
)
scan_parser.add_argument(
"--fetch_cves", type=get_bool, default=None
)
scan_out = scan_parser.add_mutually_exclusive_group()
scan_out.add_argument(
"--json", default=False, action='store_true',
help="output json"
)
scan_out.add_argument(
"--detail", default=False, action='store_true',
help="output more detail"
)
scan_group = scan_parser.add_mutually_exclusive_group()
scan_group.add_argument(
"--all", default=False, action='store_true',
help="scan all images (excluding intermediate layers) and containers"
)
scan_group.add_argument(
"--images", default=False, action='store_true',
help="scan all images (excluding intermediate layers"
)
scan_group.add_argument(
"--containers", default=False, action='store_true',
help="scan all containers"
)
if atomic_support:
add_scan_parser(subparsers)
args = parser.parse_args()
gobject.threads_init()
dbus_iface = None
try:
dbus_iface = get_dbus_interface()
except:
sys.stderr.write(
"Error: Failed to connect to the OpenSCAP-daemon DBus interface. "
"Is the daemon running?\n\n"
)
raise
try:
oscapd_version_major, oscapd_version_minor, oscapd_version_patch = \
dbus_iface.GetVersion()
if (oscapd_version_major, oscapd_version_minor, oscapd_version_patch) \
!= (version.VERSION_MAJOR, version.VERSION_MINOR, version.VERSION_PATCH):
sys.stderr.write(
"Warning: Version mismatch between oscapd-cli and oscapd.\n")
except dbus.exceptions.DBusException as e:
if e.get_dbus_name() == "org.freedesktop.DBus.Error.UnknownMethod":
sys.stderr.write(
"Warning: Can't perform version check, the openscap-daemon dbus"
" interface doesn't provide the GetVersion method.\n\n"
)
elif e.get_dbus_name() == "org.freedesktop.DBus.Error.AccessDenied":
sys.stderr.write(
"Error: Access denied on the DBus interface. "
"Do you have the necessary permissions?\n\n"
)
sys.exit(1)
else:
raise
if args.action == "status":
cli_status(dbus_iface, args)
elif args.action == "eval":
cli_eval(dbus_iface, args)
elif args.action == "task":
cli_task(dbus_iface, task_accessor, args)
elif args.action == "task-create":
cli_task_create(dbus_iface, args)
elif args.action == "status":
cli_status(dbus_iface, args)
elif args.action == "result":
cli_result(dbus_iface, args)
elif atomic_support and args.action == "scan":
cli_scan(dbus_iface, args)
else:
raise RuntimeError("Unknown action '%s'." % (args.action))
if __name__ == "__main__":
main()
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/bin/oscapd��������������������������������������������������������������������0000755�0001751�0000033�00000005306�13163222324�015224� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon import dbus_daemon
from openscap_daemon import dbus_utils
from openscap_daemon import version
import os
import logging
import sys
import argparse
gobject_mainloop = None
if sys.version_info < (3,):
import gobject
gobject_MainLoop = gobject.MainLoop
else:
from gi.repository import GObject as gobject
from gi.repository import GLib
gobject_MainLoop = GLib.MainLoop
def main():
parser = argparse.ArgumentParser(
description="OpenSCAP-Daemon executable."
)
parser.add_argument(
"-v", "--version", action="version",
version="%(prog)s " + version.VERSION_STRING
)
parser.add_argument("--verbose",
help="be verbose, useful for debugging",
action="store_true")
args = parser.parse_args()
logging.basicConfig(format='%(levelname)s:%(message)s',
level=logging.DEBUG if args.verbose else logging.INFO)
logging.info("OpenSCAP Daemon %s", version.VERSION_STRING)
import dbus.mainloop.glib
gobject.threads_init()
dbus.mainloop.glib.threads_init()
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
try:
bus = dbus_utils.get_dbus()
name = dbus.service.BusName(dbus_utils.BUS_NAME, bus)
except dbus.exceptions.DBusException as e:
if e.get_dbus_name() == "org.freedesktop.DBus.Error.AccessDenied":
sys.stderr.write(
"Error: DBus denied access to own '%s'. "
"Do you have the necessary permissions?\n\n"
% (dbus_utils.BUS_NAME)
)
raise
config_file = os.path.join("/", "etc", "oscapd", "config.ini")
if "OSCAPD_CONFIG_FILE" in os.environ:
config_file = os.environ["OSCAPD_CONFIG_FILE"]
obj = dbus_daemon.OpenSCAPDaemonDbus(bus, config_file)
loop = gobject_MainLoop()
loop.run()
if __name__ == "__main__":
main()
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/������������������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�014413� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/install_test������������������������������������������������������������0000755�0001751�0000033�00000002315�13163222324�017047� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# Copyright 2016 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
echo "Running install tests..."
echo
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
EXIT_CODE=0
test="setup.py --dry-run"
printf "%-60s %s ... " "$test"
pushd $PARENT_DIR/.. > /dev/null
output=`$PYTHON setup.py --dry-run install 2>&1`
if [ "$?" == "0" ]; then
echo "[ pass ]"
else
echo "[ FAIL ]"
echo
echo "$output"
echo
EXIT_CODE=1
fi
popd > /dev/null
exit $EXIT_CODE
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/�������������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�015372� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/test_generate_guide.py���������������������������������������������0000755�0001751�0000033�00000002374�13163222324�021763� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python2
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import unit_test_harness
class GenerateGuideTest(unit_test_harness.APITest):
def setup_data(self):
super(GenerateGuideTest, self).setup_data()
self.copy_to_data("tasks/1.xml")
def test(self):
super(GenerateGuideTest, self).test()
self.system.load_tasks()
assert(len(self.system.tasks) == 1)
print(self.system.generate_guide_for_task(1))
if __name__ == "__main__":
GenerateGuideTest.run()
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/make_check���������������������������������������������������������0000755�0001751�0000033�00000002621�13163222324�017373� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
echo "Running unit tests..."
echo
# parent dir of this script
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
pushd $PARENT_DIR > /dev/null
# add directory with "unit" to $PYTHONPATH
export PYTHONPATH=$PARENT_DIR/tests/unit:$PYTHONPATH
RUNWRAPPER_NO_FORK=1 source ../../runwrapper.sh
EXIT_CODE=0
for file in test_*.py
do
printf "%-60s %s ... " "$file"
output=`$PYTHON ./$file 2>&1`
if [ "$?" == "0" ]; then
echo "[ pass ]"
else
echo "[ FAIL ]"
echo
echo "$output"
echo
EXIT_CODE=1
fi
done
popd > /dev/null
exit $EXIT_CODE
���������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/test_basic_update.py�����������������������������������������������0000755�0001751�0000033�00000002534�13163222324�021435� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python2
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import unit_test_harness
import time
class BasicUpdateTest(unit_test_harness.APITest):
def setup_data(self):
super(BasicUpdateTest, self).setup_data()
self.copy_to_data("tasks/1.xml")
def test(self):
super(BasicUpdateTest, self).test()
self.system.load_tasks()
assert(len(self.system.tasks) == 1)
print(self.system.tasks)
self.system.schedule_tasks()
while len(self.system.async.actions) > 0:
time.sleep(1)
if __name__ == "__main__":
BasicUpdateTest.run()
��������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/test_config.py�����������������������������������������������������0000755�0001751�0000033�00000005104�13163222324�020253� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python2
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import unit_test_harness
import os.path
import openscap_daemon.config
# TODO: The harness initializes System and we don't need that here
class ConfigTest(unit_test_harness.APITest):
def setup_data(self):
super(ConfigTest, self).setup_data()
self.copy_to_data("config_test.ini")
def test(self):
super(ConfigTest, self).test()
config = openscap_daemon.config.Configuration()
full_path = os.path.abspath(
os.path.join(self.data_dir_path, "config_test.ini")
)
config.load(full_path)
assert(config.config_file == full_path)
assert(config.jobs == 8)
assert(config.oscap_path == "/a/b/c/oscap")
assert(config.oscap_ssh_path == "/d/e/f/oscap-ssh")
assert(config.oscap_vm_path == "/openscap/bin/oscap-vm")
assert(config.oscap_docker_path == "/g/h/i/j/oscap-docker")
assert(config.ssg_path == "/g/h/i/ssg/content")
assert(config.fetch_cve_url == "http://a.b.com/some/folder/")
saved_full_path = os.path.join(self.data_dir_path, "config_test_s.ini")
config.save_as(saved_full_path)
assert(config.config_file == saved_full_path)
config2 = openscap_daemon.config.Configuration()
config2.load(saved_full_path)
assert(config2.config_file == saved_full_path)
assert(config2.jobs == 8)
assert(config2.oscap_path == "/a/b/c/oscap")
assert(config2.oscap_ssh_path == "/d/e/f/oscap-ssh")
assert(config2.oscap_vm_path == "/openscap/bin/oscap-vm")
assert(config2.oscap_docker_path == "/g/h/i/j/oscap-docker")
assert(config2.ssg_path == "/g/h/i/ssg/content")
assert(config2.fetch_cve_url == "http://a.b.com/some/folder/")
if __name__ == "__main__":
ConfigTest.run()
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/__init__.py��������������������������������������������������������0000644�0001751�0000033�00000000000�13163222324�017471� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/unit_test_harness.py�����������������������������������������������0000755�0001751�0000033�00000005767�13163222324�021527� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python2
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import openscap_daemon
from openscap_daemon.config import Configuration
import tempfile
import shutil
import os.path
def get_template_data_dir():
# Beware, nasty tricks ahead!
return os.path.join(
os.path.dirname(os.path.dirname(__file__)),
"data_dir_template"
)
class APITest(object):
"""Needs a data_dir to work
"""
def __init__(self, data_dir_path):
self.system = None
self.data_dir_path = data_dir_path
def copy_to_data(self, template_path):
"""Overrides of setup_data are supposed to use this to copy special
data files into the temporary data directory.
"""
shutil.copy(
os.path.join(get_template_data_dir(), template_path),
os.path.join(self.data_dir_path, template_path)
)
def setup_data(self):
# This ensures that data_dir is prepared and all the directories are in
# their place. This is necessary so that we can later copy in our test
# files.
assert(os.path.isdir(self.data_dir_path))
self.copy_to_data("config.ini")
# we do this to create all the necessary directories
fake_config = Configuration()
fake_config.load(os.path.join(self.data_dir_path, "config.ini"))
fake_config.prepare_dirs()
def init_system(self):
self.system = openscap_daemon.System(
os.path.join(self.data_dir_path, "config.ini")
)
def teardown_data(self):
# Most implementations won't do anything here, the entire directory will
# be recursively removed anyway.
pass
def test(self):
# This is the important method, this is where code is run
pass
@classmethod
def run(cls):
temp_dir = None
try:
temp_dir = tempfile.mkdtemp()
instance = cls(temp_dir)
instance.setup_data()
instance.init_system()
instance.test()
instance.teardown_data()
shutil.rmtree(temp_dir)
except:
if temp_dir is not None:
print(
"Examine '%s' to debug failure of this test.\n" % (temp_dir)
)
raise
���������openscap-daemon-0.1.8/tests/unit/test_generate_report.py��������������������������������������������0000755�0001751�0000033�00000002536�13163222324�022201� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python2
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import unit_test_harness
class GenerateReportTest(unit_test_harness.APITest):
def setup_data(self):
super(GenerateReportTest, self).setup_data()
self.copy_to_data("tasks/1.xml")
#self.ensure_dir("results/1/1")
#self.copy_to_data("results/1/1")
def test(self):
super(GenerateReportTest, self).test()
self.system.load_tasks()
assert(len(self.system.tasks) == 1)
#print(self.system.generate_report_for_task_result(1, 1))
if __name__ == "__main__":
GenerateReportTest.run()
������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/unit/test_serialization.py����������������������������������������������0000755�0001751�0000033�00000003337�13163222324�021671� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python2
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import unit_test_harness
import os.path
class SerializationTest(unit_test_harness.APITest):
def setup_data(self):
super(SerializationTest, self).setup_data()
self.copy_to_data("tasks/1.xml")
def test(self):
super(SerializationTest, self).test()
self.system.load_tasks()
assert(len(self.system.tasks) == 1)
self.system.tasks[1].save_as(
os.path.join(self.data_dir_path, "tasks", "2.xml")
)
self.system.load_tasks()
assert(len(self.system.tasks) == 2)
assert(
self.system.tasks[1].is_equivalent_to(self.system.tasks[2])
)
self.system.tasks[2].title = "Broken!"
assert(
not self.system.tasks[1].is_equivalent_to(self.system.tasks[2])
)
task_id = self.system.create_task()
self.system.tasks[task_id].save()
if __name__ == "__main__":
SerializationTest.run()
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/make_check��������������������������������������������������������������0000755�0001751�0000033�00000002377�13163222324�016424� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# Copyright 2016 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
# parent dir of this script
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
pushd $PARENT_DIR > /dev/null
PYTHON_VERSIONS="$(which python2 2> /dev/null) $(which python3 2> /dev/null)"
for PYTHON in $PYTHON_VERSIONS;
do
echo "Testing with python '$PYTHON'"
echo
export PYTHON
./unit/make_check || exit 1
echo
./integration/make_check || exit 1
echo
./install_test || exit 1
echo
echo
done
popd > /dev/null
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/data_dir_template/������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�020055� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/data_dir_template/tasks/������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�021202� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/data_dir_template/tasks/1.xml�������������������������������������������0000644�0001751�0000033�00002746572�13163222324�022113� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Weekly SCAP Security Guide Evaluationsdslocalhost
<?xml version="1.0" encoding="UTF-8"?>
<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_ssg-fedora-xccdf-1.2.xml" schematron-version="1.0">
<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml" scap-version="1.2" use-case="OTHER">
<ds:dictionaries>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-fedora-cpe-dictionary.xml" xlink:href="#scap_org.open-scap_comp_output--ssg-fedora-cpe-dictionary.xml">
<cat:catalog>
<cat:uri name="ssg-fedora-cpe-oval.xml" uri="#scap_org.open-scap_cref_output--ssg-fedora-cpe-oval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:dictionaries>
<ds:checklists>
<ds:component-ref id="scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml" xlink:href="#scap_org.open-scap_comp_ssg-fedora-xccdf-1.2.xml">
<cat:catalog>
<cat:uri name="ssg-fedora-oval.xml" uri="#scap_org.open-scap_cref_ssg-fedora-oval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:checklists>
<ds:checks>
<ds:component-ref id="scap_org.open-scap_cref_ssg-fedora-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-fedora-oval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-fedora-cpe-oval.xml" xlink:href="#scap_org.open-scap_comp_output--ssg-fedora-cpe-oval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-fedora-oval.xml" xlink:href="#scap_org.open-scap_comp_output--ssg-fedora-oval.xml"/></ds:checks>
</ds:data-stream>
<ds:component id="scap_org.open-scap_comp_ssg-fedora-oval.xml" timestamp="2015-03-17T12:23:34">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>python</oval:product_name>
<oval:product_version>2.6.6</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2011-09-21T13:44:00</oval:timestamp>
</generator>
<definitions>
<definition class="compliance" id="oval:ssg:def:125" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Multiple NTP Servers for time synchronization should be
specified</description>
<reference source="galford" ref_id="20141107" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_multiple_servers" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:126"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:127" version="1">
<metadata>
<title>No nullok Option in /etc/pam.d/system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_empty_passwords" source="ssg"/></metadata>
<criteria>
<criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="oval:ssg:tst:128"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:129" version="1">
<metadata>
<title>Set Password minclass Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minclass should meet the minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minclass" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for minclass are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:131"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:100" version="1">
<metadata>
<title>Fedora release 19 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 19 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora19" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 19 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:132" version="1">
<metadata>
<title>Package openssh-server Removed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package openssh-server should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_openssh-server_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package openssh-server is removed" test_ref="oval:ssg:tst:133"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:134" version="1">
<metadata>
<title>Package dconf Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package dconf should be installed.</description>
<reference source="galford" ref_id="20140424" ref_url="test_attestation"/>
<reference ref_id="package_dconf_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package dconf is installed" test_ref="oval:ssg:tst:135"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:136" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The maximum password age policy should meet minimum requirements.</description>
<reference source="JL" ref_id="RHEL6_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150130" ref_url="test_attestation"/>
<reference ref_id="accounts_maximum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:137"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:138" version="1">
<metadata>
<title>Verify that System Executables Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
/usr/local/sbin, and objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:139"/>
<criterion test_ref="oval:ssg:tst:140"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:141" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH idle timeout interval should be set to an
appropriate value.</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140224" ref_url="test_attestation" /> -->
<reference ref_id="sshd_set_idle_timeout" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:143"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:144" version="1">
<metadata>
<title>Enable GNOME3 Login Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GNOME3 Login warning banner.</description>
<reference source="galford" ref_id="20140823" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_banner_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Enable GUI banner" test_ref="oval:ssg:tst:146"/>
<criterion comment="Prevent user from disabling banner" test_ref="oval:ssg:tst:147"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:148" version="1">
<metadata>
<title>Verify that Shared Library Files Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:149"/>
<criterion test_ref="oval:ssg:tst:150"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:151" version="2">
<metadata>
<title>Disable Prelinking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Fedora 20</platform>
</affected>
<description>The prelinking feature can interfere with the operation of
checksum integrity tools (e.g. AIDE), mitigates the protection provided
by ASLR, and requires additional CPU cycles by software upgrades.
</description>
<reference source="JL" ref_id="20140313" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140313" ref_url="test_attestation" /> -->
<reference ref_id="disable_prelink" source="ssg"/></metadata>
<criteria>
<criterion comment="Ensure prelinking is disabled" test_ref="oval:ssg:tst:152"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:153" version="2">
<metadata>
<title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The password hashing algorithm should be set correctly in /etc/login.defs.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="set_password_hashing_algorithm_logindefs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:154"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:155" version="1">
<metadata>
<title>Proper Permissions User Home Directories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions should be set correctly for the home directories for all user accounts.</description>
<reference source="JL" ref_id="RHEL6_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="Fedora20_20141106" ref_url="test_attestation"/>
<reference ref_id="file_permissions_home_dirs" source="ssg"/></metadata>
<criteria>
<criterion comment="home directories" test_ref="oval:ssg:tst:156" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:157" version="3">
<metadata>
<title>Lock out account after failed login attempts</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The number of allowed failed logins should be set correctly.</description>
<reference source="JL" ref_id="RHEL6_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150122" ref_url="test_attestation"/>
<reference ref_id="accounts_passwords_pam_faillock_deny" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:158" comment="pam_faillock.so preauth silent set in system-auth"/>
<criterion test_ref="oval:ssg:tst:159" comment="pam_faillock.so authfail deny value set in system-auth"/>
<criterion test_ref="oval:ssg:tst:160" comment="pam_faillock.so set in account phase of system-auth"/>
<criterion test_ref="oval:ssg:tst:161" comment="pam_faillock.so preauth silent set in password-auth"/>
<criterion test_ref="oval:ssg:tst:162" comment="pam_faillock.so authfail deny value set in password-auth"/>
<criterion test_ref="oval:ssg:tst:163" comment="pam_faillock.so set in account phase of password-auth"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:164" version="2">
<metadata>
<title>SNMP use newer protocols</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP version 1 and 2c must not be enabled.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_use_newer_protocol" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP protocols" test_ref="oval:ssg:tst:166"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:167" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>To trace malicious activity facilitated by the FTP
service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log format.
</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_log_transactions" source="ssg"/></metadata>
<criteria comment="FTP is not being used or the conditions are met" operator="OR">
<extend_definition comment="vsftp package is not installed" definition_ref="oval:ssg:def:168" negate="true"/>
<criteria comment="FTP configuration conditions are not set or are met" operator="AND">
<criterion comment="log ftp transactions enable" test_ref="oval:ssg:tst:169"/>
<criterion comment="log ftp transactions format" test_ref="oval:ssg:tst:170"/>
<criterion comment="log ftp transactions protocol" test_ref="oval:ssg:tst:171"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:172" version="1">
<metadata>
<title>Implement Blank Screensaver</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The GNOME3 screensaver should be blank.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_mode_blank" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable blank screensaver and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver is blank" test_ref="oval:ssg:tst:173"/>
<criterion comment="screensaver prevent user from changing mode" test_ref="oval:ssg:tst:174"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:175" version="2">
<metadata>
<title>Kernel Runtime Parameter "kernel.exec-shield" Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.</description>
<reference source="galford" ref_id="201410" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_exec_shield" source="ssg"/></metadata>
<criteria operator="OR">
<criteria operator="AND" comment="system is RHEL6">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="32-bit system" definition_ref="oval:ssg:def:178"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="64-bit system" definition_ref="oval:ssg:def:179"/>
<criterion comment="NX is supported and is not disabled" test_ref="oval:ssg:tst:180"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:181" version="1">
<metadata>
<title>Package ntp Installed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package ntp should be installed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_ntp_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package ntp is installed" test_ref="oval:ssg:tst:182"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:165" version="1">
<metadata>
<title>Package net-snmp Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package net-snmp should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_net-snmp_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package net-snmp is removed" test_ref="oval:ssg:tst:183"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:179" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86_64 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86_64 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86_64" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg:tst:184"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:185" version="1">
<metadata>
<title>Set Password retry Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password retry should meet minimum
requirements</description>
<reference source="swells" ref_id="20140925" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_retry" source="ssg"/></metadata>
<criteria operator="OR" comment="Conditions for retry are satisfied">
<criteria operator="AND" comment="system is RHEL6 with pam_cracklib configured">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="rhel6 pam_cracklib" test_ref="oval:ssg:tst:186"/>
</criteria>
<criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">
<extend_definition comment="RHEL7 installed" definition_ref="oval:ssg:def:107"/>
<criterion comment="rhel7 pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
<criteria operator="AND" comment="system is Fedora with pam_pwquality configured">
<extend_definition comment="Fedora installed" definition_ref="oval:ssg:def:100"/>
<criterion comment="Fedora pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:188" version="1">
<metadata>
<title>Package Antivirus Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Antivirus software should be installed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="install_antivirus" source="ssg"/></metadata>
<criteria comment="Antivirus is not being used or conditions are met">
<criterion comment="Linuxshield AntiVirus package is installed" test_ref="oval:ssg:tst:189"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:190" version="1">
<metadata>
<title>Set Password minlen Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minlen should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minlen" source="ssg"/></metadata>
<criteria operator="AND" comment="system uses pam_pwquality configured">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pam_pwquality" test_ref="oval:ssg:tst:191"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:103" version="1">
<metadata>
<title>Fedora release 20 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 20 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora20" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 20 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:192" version="1">
<metadata>
<title>File grub.cfg Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_permissions_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:193"/>
<criterion test_ref="oval:ssg:tst:194"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:195" version="1">
<metadata>
<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Ensure all yum repositories utilize signature checking.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7 <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_never_disabled" source="ssg"/></metadata>
<criteria comment="ensure all yum repositories utilize signiature checking" operator="AND">
<criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files" test_ref="oval:ssg:tst:196"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:197" version="1">
<metadata>
<title>Enable GUI Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GUI warning banner.</description>
<reference source="galford" ref_id="20140902" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_login_banner_text" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Prevent user from changing banner" test_ref="oval:ssg:tst:198"/>
<criterion comment="Login banner is correctly set" test_ref="oval:ssg:tst:199"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:200" version="1">
<metadata>
<title>Verify No netrc Files Exist</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="no_netrc_files" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:201" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:178" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86 architecture" test_ref="oval:ssg:tst:202"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:203" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>A remote NTP Server for time synchronization should be
specified (and dependencies are met)</description>
<reference source="galford" ref_id="20141111" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_remote_server" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:204"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:205" version="1">
<metadata>
<title>Set ClientAliveCountMax for User Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_set_keepalive" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:206"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:207" version="1">
<metadata>
<title>System Accounts Do Not Run a Shell</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The root account is the only system account that should have a login shell.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_shelllogin_for_systemaccounts" source="ssg"/></metadata>
<criteria>
<criterion comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" test_ref="oval:ssg:tst:208"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:168" version="1">
<metadata>
<title>Package vsftpd Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package vsftpd should be installed.</description>
<reference source="JL" ref_id="20140522" ref_url="test_attestation"/>
<reference ref_id="package_vsftpd_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package vsftpd is installed" test_ref="oval:ssg:tst:209"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:210" version="1">
<metadata>
<title>Ensure insecure_locks is disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Allowing insecure file locking could allow for sensitive
data to be viewed or edited by an unauthorized user.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="no_insecure_locks_exports" source="ssg"/></metadata>
<criteria>
<criterion comment="Check for insecure NFS locks in /etc/exports" test_ref="oval:ssg:tst:211"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:212" version="2">
<metadata>
<title>SNMP default communities disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP default communities must be removed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_not_default_password" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP communities" test_ref="oval:ssg:tst:213"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:214" version="2">
<metadata>
<title>Set Password ucredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ucredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ucredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ucredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:215"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:130" version="1">
<metadata>
<title>Check pam_pwquality Existence in system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Check that pam_pwquality.so exists in system-auth</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_pwquality" source="ssg"/></metadata>
<criteria>
<criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg:tst:216"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:217" version="1">
<metadata>
<title>Disable GNOME3 Automounting</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_automount" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable automount in GNOME3" test_ref="oval:ssg:tst:218"/>
<criterion comment="Disable automount-open in GNOME3" test_ref="oval:ssg:tst:219"/>
<criterion comment="Disable autorun in GNOME3" test_ref="oval:ssg:tst:220"/>
<criterion comment="Prevent user from changing automount setting" test_ref="oval:ssg:tst:221"/>
<criterion comment="Prevent user from changing automount-open setting" test_ref="oval:ssg:tst:222"/>
<criterion comment="Prevent user from changing autorun setting" test_ref="oval:ssg:tst:223"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:142" version="1">
<metadata>
<title>Service sshd Disabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The sshd service should be disabled.
</description>
<reference ref_id="service_sshd_disabled" source="ssg"/></metadata>
<criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
<extend_definition comment="openssh-server removed" definition_ref="oval:ssg:def:132"/>
<criterion comment="sshd disabled in multi-user.target" test_ref="oval:ssg:tst:224"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:225" version="1">
<metadata>
<title>Limit Password Reuse</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The passwords to remember should be set correctly.</description>
<reference source="SDW" ref_id="20131025" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_unix_remember" source="ssg"/></metadata>
<criteria>
<criterion comment="remember parameter is set to 0" test_ref="oval:ssg:tst:226"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:227" version="1">
<metadata>
<title>Disable Empty Passwords</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Remote connections from accounts with empty passwords should
be disabled (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_empty_passwords" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitEmptyPasswords in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:228"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:104" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 6</description>
<reference ref_id="installed_OS_is_rhel6" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:105"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:ssg:tst:106"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:229" version="2">
<metadata>
<title>Set Password ocredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ocredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ocredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ocredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:230"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:231" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password expiration warning age should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_warn_age_login_defs" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:232"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:233" version="1">
<metadata>
<title>Verify that System Executables Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, and /usr/local/sbin, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:234"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:235" version="1">
<metadata>
<title>Set Password maxrepeat Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password maxrepeat should meet minimum
requirements using pam_pwquality</description>
<reference source="galford" ref_id="20141006" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_maxrepeat" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for maxrepeat are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:236"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:237" version="1">
<metadata>
<title>File grub.cfg Owned By root User</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_user_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:238"/>
<criterion test_ref="oval:ssg:tst:239"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:240" version="1">
<metadata>
<title>Verify that Shared Library Files Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:241"/>
<criterion test_ref="oval:ssg:tst:242"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:243" version="1">
<metadata>
<title>Disable root Login via SSH</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Root login via SSH should be disabled (and dependencies are
met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_root_login" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:244"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:245" version="1">
<metadata>
<title>Restrict Serial Port Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to serial port interfaces helps
ensure accountability for actions taken on the system using the root
account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="restrict_serial_port_logins" source="ssg"/></metadata>
<criteria>
<criterion comment="serial ports /etc/securetty" test_ref="oval:ssg:tst:246" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:247" version="2">
<metadata>
<title>Set Password difok Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password difok should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_difok" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for difok are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:248"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:249" version="1">
<metadata>
<title>Ensure Yum gpgcheck Globally Activated</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7: <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_globally_activated" source="ssg"/></metadata>
<criteria>
<criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="oval:ssg:tst:250"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:251" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minimum length should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_minlen_login_defs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:252"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:253" version="2">
<metadata>
<title>System Login Banner Compliance</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The system login banner text should be set correctly.</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="banner_etc_issue" source="ssg"/></metadata>
<criteria>
<criterion comment="/etc/issue is set appropriately" test_ref="oval:ssg:tst:254"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:255" version="1">
<metadata>
<title>Disable All GNOME3 Thumbnailers</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, uses a
number of different thumbnailer programs to generate thumbnails for any
new or modified content in an opened folder. Disable the execution of
these thumbnail applications within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_thumbnailers" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable Gnome3 Thumbnailers and prevent user from enabling" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable thumbnailers in GNOME3" test_ref="oval:ssg:tst:256"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:257"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:145" version="1">
<metadata>
<title>Implement Local DB for DConf User Profile</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The DConf User profile should have the local DB configured.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="enable_dconf_user_profile" source="ssg"/></metadata>
<criteria>
<criterion comment="dconf user profile exists" test_ref="oval:ssg:tst:258"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:259" version="2">
<metadata>
<title>Kernel Runtime Parameter IPv6 Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Disables IPv6 for all network interfaces.</description>
<reference source="galford" ref_id="20141015" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_ipv6_disable" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Disable IPv6 runtime check" test_ref="oval:ssg:tst:260"/>
<criterion comment="Disable IPv6 in sysctl.d conf file" test_ref="oval:ssg:tst:261"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:262" version="2">
<metadata>
<title>Set Password lcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password lcredit should meet minimum requirements</description>
<reference source="swells" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_lcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for lcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:263"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:264" version="1">
<metadata>
<title>Set Boot Loader Password</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub2 boot loader should have password protection enabled.</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="bootloader_password" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="make sure a password is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:265"/>
<criterion comment="make sure a superuser is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:266"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:267" version="1">
<metadata>
<title>All Password Hashes Shadowed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>All password hashes should be shadowed.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="accounts_password_all_shadowed" source="ssg"/></metadata>
<criteria>
<criterion comment="password hashes are shadowed" test_ref="oval:ssg:tst:268"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:269" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Idle Activation</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen saver should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_activation_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle activation has been configured" test_ref="oval:ssg:tst:270"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:271"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:272" version="1">
<metadata>
<title>Service ntpd Enabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The ntpd service should be enabled.
</description>
<reference ref_id="service_ntpd_enabled" source="ssg"/></metadata>
<criteria comment="package ntp installed and service ntpd is configured to start" operator="AND">
<extend_definition comment="ntp installed" definition_ref="oval:ssg:def:181"/>
<criterion comment="ntpd multi-user.target" test_ref="oval:ssg:tst:273"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:274" version="2">
<metadata>
<title>Write permissions are disabled for group and other in all
directories in Root's Path</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Check each directory in root's path and make use it does
not grant write permission to group and other</description>
<reference source="JL" ref_id="RHEL6_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20141119" ref_url="test_attestation"/>
<reference ref_id="accounts_root_path_dirs_no_write" source="ssg"/></metadata>
<criteria comment="Check that write permission to group and other in root's path is denied">
<criterion comment="Check for write permission to group and other in root's path" test_ref="oval:ssg:tst:275"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:107" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 7</description>
<reference ref_id="installed_OS_is_rhel7" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:108"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:ssg:tst:109"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:ssg:tst:110"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:276" version="1">
<metadata>
<title>UID 0 Belongs Only To Root</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Only the root account should be assigned a user id of 0.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140303" ref_url="test_attestation" /> -->
<reference ref_id="accounts_no_uid_except_zero" source="ssg"/></metadata>
<criteria>
<criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="oval:ssg:tst:277"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:278" version="1">
<metadata>
<title>File grub.cfg Owned By root Group </title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_group_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:279"/>
<criterion test_ref="oval:ssg:tst:280"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:281" version="1">
<metadata>
<title>Restrict Virtual Console Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system using the
root account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="securetty_root_login_console_only" source="ssg"/></metadata>
<criteria>
<criterion comment="virtual consoles /etc/securetty" test_ref="oval:ssg:tst:282"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:283" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The minimum password age policy should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_minimum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:284"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:285" version="1">
<metadata>
<title>Set Password dcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password dcredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_dcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for dcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:286"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:287" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Lock After Idle Period</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen lock should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_lock_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver lock is enabled" test_ref="oval:ssg:tst:288"/>
<criterion comment="screensaver lock prevent user from changing" test_ref="oval:ssg:tst:289"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:292" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>This setting will cause the system greeting banner to be
used for FTP connections as well.</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_present_banner" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="vsftpd package is not installed" negate="true" definition_ref="oval:ssg:def:168"/>
<criterion comment="Banner for FTP Users" test_ref="oval:ssg:tst:293"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:294" version="1">
<metadata>
<title>Configure the GNOME3 GUI Screen locking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The allowed period of inactivity before the screensaver is activated.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_delay" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle delay has been configured" test_ref="oval:ssg:tst:295"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:296"/>
<criterion comment="idle delay is set correctly" test_ref="oval:ssg:tst:297"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:298" version="1">
<metadata>
<title>Require Authentication for Single-User Mode</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The requirement for a password to boot into single-user mode
should be configured correctly.</description>
<reference source="galford" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="require_singleuser_auth" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Conditions are satisfied" test_ref="oval:ssg:tst:299"/>
<criterion test_ref="oval:ssg:tst:300"/>
<criterion test_ref="oval:ssg:tst:301" negate="true"/>
<criterion test_ref="oval:ssg:tst:302" negate="true"/>
</criteria>
</definition>
</definitions>
<tests>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:126" version="1">
<ind:object object_ref="oval:ssg:obj:303"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="oval:ssg:tst:128" version="1">
<ind:object object_ref="oval:ssg:obj:304"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:131" version="1">
<ind:object object_ref="oval:ssg:obj:305"/>
<ind:state state_ref="oval:ssg:ste:306"/>
</ind:textfilecontent54_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:101" version="1">
<ind:object object_ref="oval:ssg:obj:111"/>
<ind:state state_ref="oval:ssg:ste:112"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="oval:ssg:tst:102" version="1">
<linux:object object_ref="oval:ssg:obj:113"/>
<linux:state state_ref="oval:ssg:ste:114"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:133" version="1" comment="package openssh-server is removed">
<linux:object object_ref="oval:ssg:obj:307"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:135" version="1" comment="package dconf is installed">
<linux:object object_ref="oval:ssg:obj:308"/>
</linux:rpminfo_test>
<ind:variable_test id="oval:ssg:tst:137" check="all" comment="The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:309"/>
<ind:state state_ref="oval:ssg:ste:310"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary directories uid root" id="oval:ssg:tst:139" version="1">
<unix:object object_ref="oval:ssg:obj:311"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files uid root" id="oval:ssg:tst:140" version="1">
<unix:object object_ref="oval:ssg:obj:312"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="oval:ssg:tst:143" version="1">
<ind:object object_ref="oval:ssg:obj:313"/>
<ind:state state_ref="oval:ssg:ste:314"/>
<ind:state state_ref="oval:ssg:ste:315"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner is enabled" id="oval:ssg:tst:146" version="1">
<ind:object object_ref="oval:ssg:obj:316"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:147" version="1">
<ind:object object_ref="oval:ssg:obj:317"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="oval:ssg:tst:149" version="1">
<unix:object object_ref="oval:ssg:obj:318"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="oval:ssg:tst:150" version="1">
<unix:object object_ref="oval:ssg:obj:319"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests whether prelinking is disabled" id="oval:ssg:tst:152" version="1">
<ind:object object_ref="oval:ssg:obj:320"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:154" check="all" comment="The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:321"/>
<ind:state state_ref="oval:ssg:ste:322"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="oval:ssg:tst:156" version="1">
<unix:object object_ref="oval:ssg:obj:323"/>
<unix:state state_ref="oval:ssg:ste:324"/>
</unix:file_test>
<ind:textfilecontent54_test id="oval:ssg:tst:158" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:325"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:159" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:327"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:160" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:328"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:161" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:329"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:162" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:330"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:163" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:331"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:166" version="1">
<ind:object object_ref="oval:ssg:obj:332"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:169" version="1">
<ind:object object_ref="oval:ssg:obj:333"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:170" version="1">
<ind:object object_ref="oval:ssg:obj:334"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:171" version="1">
<ind:object object_ref="oval:ssg:obj:335"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver mode is blank" id="oval:ssg:tst:173" version="1">
<ind:object object_ref="oval:ssg:obj:336"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="blank screensaver cannot be changed by user" id="oval:ssg:tst:174" version="1">
<ind:object object_ref="oval:ssg:obj:337"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter kernel.exec-shield set to 1" id="oval:ssg:tst:176" version="1">
<unix:object object_ref="oval:ssg:obj:338"/>
<unix:state state_ref="oval:ssg:ste:339"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel.exec-shield static configuration" id="oval:ssg:tst:177" version="1">
<ind:object object_ref="oval:ssg:obj:340"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NX is disabled" id="oval:ssg:tst:180" version="1">
<ind:object object_ref="oval:ssg:obj:341"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:182" version="1" comment="package ntp is installed">
<linux:object object_ref="oval:ssg:obj:342"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:183" version="1" comment="package net-snmp is removed">
<linux:object object_ref="oval:ssg:obj:343"/>
</linux:rpminfo_test>
<unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg:tst:184" version="1">
<unix:object object_ref="oval:ssg:obj:344"/>
<unix:state state_ref="oval:ssg:ste:345"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:186" version="1">
<ind:object object_ref="oval:ssg:obj:346"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:187" version="1">
<ind:object object_ref="oval:ssg:obj:348"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:189" version="1" comment="AntiVirus package is installed">
<linux:object object_ref="oval:ssg:obj:349"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:191" version="1">
<ind:object object_ref="oval:ssg:obj:350"/>
<ind:state state_ref="oval:ssg:ste:351"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg:tst:193" version="1">
<unix:object object_ref="oval:ssg:obj:352"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:194" version="1">
<unix:object object_ref="oval:ssg:obj:354"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of gpgcheck=0 in /etc/yum.repos.d/ files" id="oval:ssg:tst:196" version="1">
<ind:object object_ref="oval:ssg:obj:355"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:198" version="1">
<ind:object object_ref="oval:ssg:obj:356"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="login banner text is correctly set" id="oval:ssg:tst:199" version="1">
<ind:object object_ref="oval:ssg:obj:357"/>
<ind:state state_ref="oval:ssg:ste:358"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="oval:ssg:tst:201" version="1">
<unix:object object_ref="oval:ssg:obj:359"/>
</unix:file_test>
<unix:uname_test check="all" comment="32 bit architecture" id="oval:ssg:tst:202" version="1">
<unix:object object_ref="oval:ssg:obj:360"/>
<unix:state state_ref="oval:ssg:ste:361"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:204" version="1">
<ind:object object_ref="oval:ssg:obj:362"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:206" version="1">
<ind:object object_ref="oval:ssg:obj:363"/>
<ind:state state_ref="oval:ssg:ste:364"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" id="oval:ssg:tst:208" version="1">
<ind:object object_ref="oval:ssg:obj:365"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:209" version="1" comment="package vsftpd is installed">
<linux:object object_ref="oval:ssg:obj:366"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the insecure locks in /etc/exports" id="oval:ssg:tst:211" version="1">
<ind:object object_ref="oval:ssg:obj:367"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:213" version="1">
<ind:object object_ref="oval:ssg:obj:368"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:215" version="1">
<ind:object object_ref="oval:ssg:obj:369"/>
<ind:state state_ref="oval:ssg:ste:370"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:216" version="1">
<ind:object object_ref="oval:ssg:obj:371"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount in GNOME3" id="oval:ssg:tst:218" version="1">
<ind:object object_ref="oval:ssg:obj:372"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount setting" id="oval:ssg:tst:221" version="1">
<ind:object object_ref="oval:ssg:obj:373"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount-open in GNOME" id="oval:ssg:tst:219" version="1">
<ind:object object_ref="oval:ssg:obj:374"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount-open setting" id="oval:ssg:tst:222" version="1">
<ind:object object_ref="oval:ssg:obj:375"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable autorun in GNOME" id="oval:ssg:tst:220" version="1">
<ind:object object_ref="oval:ssg:obj:376"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing autorun setting" id="oval:ssg:tst:223" version="1">
<ind:object object_ref="oval:ssg:obj:377"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:224" version="1">
<unix:object object_ref="oval:ssg:obj:378"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="remember is set in /etc/pam.d/system-auth" id="oval:ssg:tst:226" version="1">
<ind:object object_ref="oval:ssg:obj:379"/>
<ind:state state_ref="oval:ssg:ste:380"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:228" version="1">
<ind:object object_ref="oval:ssg:obj:381"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg:tst:105" version="1">
<linux:object object_ref="oval:ssg:obj:115"/>
<linux:state state_ref="oval:ssg:ste:116"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg:tst:106" version="1">
<linux:object object_ref="oval:ssg:obj:117"/>
<linux:state state_ref="oval:ssg:ste:118"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:230" version="1">
<ind:object object_ref="oval:ssg:obj:382"/>
<ind:state state_ref="oval:ssg:ste:383"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:232" check="all" comment="The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:384"/>
<ind:state state_ref="oval:ssg:ste:385"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files go-w" id="oval:ssg:tst:234" version="1">
<unix:object object_ref="oval:ssg:obj:386"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:236" version="1">
<ind:object object_ref="oval:ssg:obj:387"/>
<ind:state state_ref="oval:ssg:ste:388"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:238" version="1">
<unix:object object_ref="oval:ssg:obj:389"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:239" version="1">
<unix:object object_ref="oval:ssg:obj:391"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="oval:ssg:tst:241" version="1">
<unix:object object_ref="oval:ssg:obj:392"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="oval:ssg:tst:242" version="1">
<unix:object object_ref="oval:ssg:obj:393"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:244" version="1">
<ind:object object_ref="oval:ssg:obj:394"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="serial ports /etc/securetty" id="oval:ssg:tst:246" version="1">
<ind:object object_ref="oval:ssg:obj:395"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:248" version="1">
<ind:object object_ref="oval:ssg:obj:396"/>
<ind:state state_ref="oval:ssg:ste:397"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="oval:ssg:tst:250" version="1">
<ind:object object_ref="oval:ssg:obj:398"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:252" check="all" comment="The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:399"/>
<ind:state state_ref="oval:ssg:ste:400"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="oval:ssg:tst:254" version="1">
<ind:object object_ref="oval:ssg:obj:401"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable thumbnailers in GNOME3" id="oval:ssg:tst:256" version="1">
<ind:object object_ref="oval:ssg:obj:402"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot enable thumbnailers " id="oval:ssg:tst:257" version="1">
<ind:object object_ref="oval:ssg:obj:403"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="dconf user profile exists" id="oval:ssg:tst:258" version="1">
<ind:object object_ref="oval:ssg:obj:404"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="Disable IPv6 runtime check" id="oval:ssg:tst:260" version="1">
<unix:object object_ref="oval:ssg:obj:405"/>
<unix:state state_ref="oval:ssg:ste:406"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable IPv6 in sysctl.d conf file" id="oval:ssg:tst:261" version="1">
<ind:object object_ref="oval:ssg:obj:407"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:263" version="1">
<ind:object object_ref="oval:ssg:obj:408"/>
<ind:state state_ref="oval:ssg:ste:409"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in /etc/grub2.cfg files. Superuser is not root, admin, or administrator" id="oval:ssg:tst:266" version="1">
<ind:object object_ref="oval:ssg:obj:410"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /etc/grub2.cfg" id="oval:ssg:tst:265" version="1">
<ind:object object_ref="oval:ssg:obj:411"/>
</ind:textfilecontent54_test>
<unix:password_test check="all" comment="password hashes are shadowed" id="oval:ssg:tst:268" version="1">
<unix:object object_ref="oval:ssg:obj:412"/>
<unix:state state_ref="oval:ssg:ste:413"/>
</unix:password_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="idle delay is configured" id="oval:ssg:tst:270" version="1">
<ind:object object_ref="oval:ssg:obj:414"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change idle_activation_enabled" id="oval:ssg:tst:271" version="1">
<ind:object object_ref="oval:ssg:obj:415"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:273" version="1">
<unix:object object_ref="oval:ssg:obj:416"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="Check if there aren't directories in root's path having write permission set for group or other" id="oval:ssg:tst:275" version="1">
<unix:object object_ref="oval:ssg:obj:417"/>
</unix:file_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:108" version="1">
<ind:object object_ref="oval:ssg:obj:119"/>
<ind:state state_ref="oval:ssg:ste:120"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg:tst:109" version="1">
<linux:object object_ref="oval:ssg:obj:121"/>
<linux:state state_ref="oval:ssg:ste:122"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg:tst:110" version="1">
<linux:object object_ref="oval:ssg:obj:123"/>
<linux:state state_ref="oval:ssg:ste:124"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="oval:ssg:tst:277" version="1">
<ind:object object_ref="oval:ssg:obj:418"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:279" version="1">
<unix:object object_ref="oval:ssg:obj:419"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:280" version="1">
<unix:object object_ref="oval:ssg:obj:421"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="virtual consoles /etc/securetty" id="oval:ssg:tst:282" version="1">
<ind:object object_ref="oval:ssg:obj:422"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:284" check="all" comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:423"/>
<ind:state state_ref="oval:ssg:ste:424"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:286" version="1">
<ind:object object_ref="oval:ssg:obj:425"/>
<ind:state state_ref="oval:ssg:ste:426"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is enabled" id="oval:ssg:tst:288" version="1">
<ind:object object_ref="oval:ssg:obj:427"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock cannot be changed by user" id="oval:ssg:tst:289" version="1">
<ind:object object_ref="oval:ssg:obj:428"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is set correctly" id="oval:ssg:tst:290" version="1">
<ind:object object_ref="oval:ssg:obj:429"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay cannot be changed by user" id="oval:ssg:tst:291" version="1">
<ind:object object_ref="oval:ssg:obj:430"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Banner for FTP Users" id="oval:ssg:tst:293" version="1">
<ind:object object_ref="oval:ssg:obj:431"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay is configured" id="oval:ssg:tst:295" version="1">
<ind:object object_ref="oval:ssg:obj:432"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change screensaver idle delay" id="oval:ssg:tst:296" version="1">
<ind:object object_ref="oval:ssg:obj:433"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay setting is correct" id="oval:ssg:tst:297" version="1">
<ind:object object_ref="oval:ssg:obj:434"/>
<ind:state state_ref="oval:ssg:ste:435"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode" id="oval:ssg:tst:299" version="1">
<ind:object object_ref="oval:ssg:obj:436"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that the systemd rescue.service is in the runlevel1.target" id="oval:ssg:tst:300" version="1">
<ind:object object_ref="oval:ssg:obj:437"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:tst:302" version="1">
<unix:object object_ref="oval:ssg:obj:438"/>
</unix:file_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:tst:301" version="1">
<unix:object object_ref="oval:ssg:obj:439"/>
</unix:file_test>
</tests>
<objects>
<ind:textfilecontent54_object comment="Ensure more than one NTP server is set" id="oval:ssg:obj:303" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:304" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:305" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:family_object id="oval:ssg:obj:111" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:113" version="1">
<linux:name>fedora-release</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:307" version="1">
<linux:name>openssh-server</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:308" version="1">
<linux:name>dconf</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:440" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MAX_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:309" version="1">
<ind:var_ref>oval:ssg:var:441</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary directories" id="oval:ssg:obj:311" version="1">
<!-- Check that /bin, /sbin, /usr/sbin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:312" version="1">
<!-- Check that files within /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:313" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:316" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:317" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-enable$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:318" version="1">
<!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:319" version="1">
<!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:320" version="2">
<ind:filepath>/etc/sysconfig/prelink</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:444" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last ENCRYPT_METHOD directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of ENCRYPT_METHOD directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:321" version="1">
<ind:var_ref>oval:ssg:var:445</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="home directories" id="oval:ssg:obj:323" version="2">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="exclude">oval:ssg:ste:446</filter>
<filter action="include">oval:ssg:ste:324</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:325" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:327" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:328" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:329" version="1">
<!-- Read whole /etc/pam.d/password-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:330" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:331" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:332" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:333" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_enable[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:334" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_std_format[\s]*=[\s]*NO$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:335" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*log_ftp_protocol[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:336" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=\'\'$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:337" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/picture-uri$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:340" version="1">
<ind:filepath>/etc/sysctl.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:338" version="1">
<unix:name>kernel.exec-shield</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:341" version="1">
<ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">[\s]*noexec[\s]*=[\s]*off</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:342" version="1">
<linux:name>ntp</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:343" version="1">
<linux:name>net-snmp</linux:name>
</linux:rpminfo_object>
<unix:uname_object comment="64 bit architecture" id="oval:ssg:obj:344" version="1"/>
<ind:textfilecontent54_object id="oval:ssg:obj:346" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:348" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:349" version="1">
<linux:name>McAfeeVSEForLinux</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:350" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:352" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:354" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:355" version="1">
<ind:path>/etc/yum.repos.d</ind:path>
<ind:filename operation="pattern match">.*</ind:filename>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:356" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-text$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:357" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^banner-message-text=[\s']*([^']*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for .netrc in /home" id="oval:ssg:obj:359" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename operation="pattern match">^\.netrc$</unix:filename>
</unix:file_object>
<unix:uname_object comment="32 bit architecture" id="oval:ssg:obj:360" version="1"/>
<ind:textfilecontent54_object comment="Ensure at least one NTP server is set" id="oval:ssg:obj:362" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:363" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:365" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:366" version="1">
<linux:name>vsftpd</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:367" version="2">
<ind:filepath>/etc/exports</ind:filepath>
<ind:pattern operation="pattern match">^(.*?(\binsecure_locks\b)[^$]*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:368" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:369" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ucredit[s\]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:371" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:372" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:373" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:374" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:375" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:376" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:377" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:378" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/sshd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:379" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:381" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:115" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:117" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:382" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:448" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_WARN_AGE directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_WARN_AGE directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:384" version="1">
<ind:var_ref>oval:ssg:var:449</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:386" version="1">
<!-- Check that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
and /usr/local/sbin directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:450</filter>
<filter action="exclude">oval:ssg:ste:451</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:387" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:389" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:391" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:392" version="1">
<!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:393" version="1">
<!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:394" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="serial ports /etc/securetty" id="oval:ssg:obj:395" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^ttyS[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:396" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^difok[\s]*=[\s]*(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:398" comment="gpgcheck set in /etc/yum.conf" version="1">
<ind:filepath>/etc/yum.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:454" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_LEN directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_LEN directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:399" version="1">
<ind:var_ref>oval:ssg:var:455</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:401" version="1">
<ind:filepath>/etc/issue</ind:filepath>
<ind:pattern var_ref="oval:ssg:var:456" operation="pattern match"/>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:402" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:403" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/thumbnailers/disable-all$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:404" version="2">
<ind:filepath>/etc/dconf/profile/user</ind:filepath>
<ind:pattern operation="pattern match">^user-db:user\nsystem-db:local$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:407" version="1">
<ind:filepath>/etc/sysctl.d/ipv6.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:405" version="1">
<unix:name>net.ipv6.conf.all.disable_ipv6</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:408" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:410" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:411" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:password_object id="oval:ssg:obj:412" version="1">
<unix:username operation="pattern match">.*</unix:username>
</unix:password_object>
<ind:textfilecontent54_object id="oval:ssg:obj:414" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:415" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/idle-activation-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:416" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/ntpd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:environmentvariable58_object id="oval:ssg:obj:457" version="1">
<ind:pid xsi:nil="true" datatype="int"/>
<ind:name>PATH</ind:name>
</ind:environmentvariable58_object>
<unix:file_object comment="root's path directories with wrong group / other write permissions" id="oval:ssg:obj:417" version="1">
<unix:path var_ref="oval:ssg:var:458" var_check="at least one"/>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:459</filter>
<filter action="exclude">oval:ssg:ste:460</filter>
</unix:file_object>
<ind:family_object id="oval:ssg:obj:119" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:121" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:123" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:418" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:419" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:421" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object comment="virtual consoles /etc/securetty" id="oval:ssg:obj:422" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^vc/[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:461" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:423" version="1">
<ind:var_ref>oval:ssg:var:462</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:425" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:427" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:428" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:429" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=0$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:430" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="Banner for FTP Users" id="oval:ssg:obj:431" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*banner_file[\s]*=[\s]*/etc/issue*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:432" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=[0-9]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:433" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/session/idle-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:434" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^idle-delay[\s=]*([^=\s]*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:436" version="1">
<ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart=\-.*/sbin/sulogin</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:437" version="1">
<ind:filepath>/usr/lib/systemd/system/runlevel1.target</ind:filepath>
<ind:pattern operation="pattern match">^Requires=.*rescue.service</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:obj:438" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^rescue.service$</unix:filename>
</unix:file_object>
<unix:file_object comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:obj:439" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^runlevel1.target$</unix:filename>
</unix:file_object>
</objects>
<states>
<ind:textfilecontent54_state id="oval:ssg:ste:306" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:463"/>
</ind:textfilecontent54_state>
<ind:family_state id="oval:ssg:ste:112" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:114" version="1">
<linux:version operation="pattern match">^19$</linux:version>
</linux:rpminfo_state>
<ind:variable_state id="oval:ssg:ste:310" version="1">
<ind:value operation="less than or equal" var_ref="oval:ssg:var:464" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:442" version="1" operator="OR">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" id="oval:ssg:ste:314" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg:var:465"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" id="oval:ssg:ste:315" version="1">
<ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:443" version="1">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:322" version="1">
<ind:value operation="equals" datatype="string">SHA512</ind:value>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:446" version="1">
<!-- Exclude /home directory itself from the check. Check /home/* directories only. -->
<unix:path operation="equals">/home</unix:path>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:324" version="1" operator="OR">
<unix:suid datatype="boolean">true</unix:suid>
<unix:sgid datatype="boolean">true</unix:sgid>
<unix:sticky datatype="boolean">true</unix:sticky>
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:oread datatype="boolean">true</unix:oread>
<unix:owrite datatype="boolean">true</unix:owrite>
<unix:oexec datatype="boolean">true</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:326" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:466"/>
</ind:textfilecontent54_state>
<unix:sysctl_state id="oval:ssg:ste:339" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<unix:uname_state comment="64 bit architecture" id="oval:ssg:ste:345" version="1">
<unix:processor_type operation="equals">x86_64</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:347" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:467"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:351" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:468"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:353" version="1">
<unix:uexec datatype="boolean">false</unix:uexec>
<unix:gread datatype="boolean">false</unix:gread>
<unix:gwrite datatype="boolean">false</unix:gwrite>
<unix:gexec datatype="boolean">false</unix:gexec>
<unix:oread datatype="boolean">false</unix:oread>
<unix:owrite datatype="boolean">false</unix:owrite>
<unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:358" version="1">
<ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg:var:456"/>
</ind:textfilecontent54_state>
<unix:uname_state comment="32 bit architecture" id="oval:ssg:ste:361" version="1">
<unix:processor_type operation="equals">i686</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:364" version="1">
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:370" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:469"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:447" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:380" version="1">
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:470"/>
</ind:textfilecontent54_state>
<linux:rpminfo_state id="oval:ssg:ste:116" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:118" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<ind:textfilecontent54_state id="oval:ssg:ste:383" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:471"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:385" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:472" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:450" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:451" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:388" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:473"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:390" version="1">
<unix:user_id datatype="int">0</unix:user_id>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:452" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:453" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:397" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:474"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:400" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:475" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:sysctl_state id="oval:ssg:ste:406" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<ind:textfilecontent54_state id="oval:ssg:ste:409" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:476"/>
</ind:textfilecontent54_state>
<unix:password_state id="oval:ssg:ste:413" version="1">
<unix:password>x</unix:password>
</unix:password_state>
<unix:file_state comment="group or other has write privilege" id="oval:ssg:ste:459" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state comment="symbolic link" id="oval:ssg:ste:460" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:family_state id="oval:ssg:ste:120" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:122" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:124" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<unix:file_state id="oval:ssg:ste:420" version="1">
<unix:group_id datatype="int">0</unix:group_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:424" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:477" datatype="int" var_check="at least one"/>
</ind:variable_state>
<ind:textfilecontent54_state id="oval:ssg:ste:426" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:478"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:435" version="1">
<ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:479"/>
</ind:textfilecontent54_state>
</states>
<variables>
<external_variable comment="External variable for pam_cracklib minclass" datatype="int" id="oval:ssg:var:463" version="1"/>
<local_variable id="oval:ssg:var:441" datatype="int" comment="The value of last PASS_MAX_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MAX_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:440"/>
</regex_capture>
</local_variable>
<external_variable comment="Maximum password age" datatype="int" id="oval:ssg:var:464" version="1"/>
<external_variable comment="timeout value" datatype="int" id="oval:ssg:var:465" version="1"/>
<local_variable id="oval:ssg:var:445" datatype="string" comment="The value of last ENCRYPT_METHOD directive in /etc/login.defs" version="1">
<regex_capture pattern="ENCRYPT_METHOD\s+(\w+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:444"/>
</regex_capture>
</local_variable>
<external_variable id="oval:ssg:var:466" datatype="int" comment="number of failed login attempts allowed" version="1"/>
<external_variable comment="External variable for pam_cracklib retry" datatype="int" id="oval:ssg:var:467" version="1"/>
<external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="oval:ssg:var:468" version="1"/>
<external_variable comment="external variable for GDM login banner text" datatype="string" id="oval:ssg:var:456" version="1"/>
<external_variable comment="External variable for pam_cracklib ucredit" datatype="int" id="oval:ssg:var:469" version="1"/>
<external_variable comment="number of passwords that should be remembered" datatype="int" id="oval:ssg:var:470" version="1"/>
<external_variable comment="External variable for pam_cracklib ocredit" datatype="int" id="oval:ssg:var:471" version="1"/>
<local_variable id="oval:ssg:var:449" datatype="int" comment="The value of last PASS_WARN_AGE directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_WARN_AGE\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:448"/>
</regex_capture>
</local_variable>
<external_variable comment="password expiration warning age in days" datatype="int" id="oval:ssg:var:472" version="1"/>
<external_variable comment="External variable for pam_cracklib maxrepeat" datatype="int" id="oval:ssg:var:473" version="1"/>
<external_variable comment="External variable for pam_cracklib difok" datatype="int" id="oval:ssg:var:474" version="1"/>
<local_variable id="oval:ssg:var:455" datatype="int" comment="The value of last PASS_MIN_LEN directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_LEN\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:454"/>
</regex_capture>
</local_variable>
<external_variable comment="Password minimum length" datatype="int" id="oval:ssg:var:475" version="1"/>
<external_variable comment="External variable for pam_cracklib lcredit" datatype="int" id="oval:ssg:var:476" version="1"/>
<local_variable comment="Split the PATH on the : delimiter" datatype="string" id="oval:ssg:var:458" version="1">
<split delimiter=":">
<object_component item_field="value" object_ref="oval:ssg:obj:457"/>
</split>
</local_variable>
<local_variable id="oval:ssg:var:462" datatype="int" comment="The value of last PASS_MIN_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:461"/>
</regex_capture>
</local_variable>
<external_variable comment="Minimum password age in days" datatype="int" id="oval:ssg:var:477" version="1"/>
<external_variable comment="External variable for pam_cracklib dcredit" datatype="int" id="oval:ssg:var:478" version="1"/>
<external_variable comment="inactivity timeout variable" datatype="string" id="oval:ssg:var:479" version="1"/>
</variables>
</oval_definitions>
</ds:component>
<ds:component id="scap_org.open-scap_comp_ssg-fedora-xccdf-1.2.xml" timestamp="2015-03-17T12:23:35">
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US">
<status date="2015-03-17">draft</status>
<title xml:lang="en-US">Guide to the Secure Configuration of Fedora</title>
<description xml:lang="en-US">This guide presents a catalog of security-relevant configuration
settings for Fedora operating system formatted in the eXtensible Configuration
Checklist Description Format (XCCDF).
<br xmlns="http://www.w3.org/1999/xhtml"/>
<br xmlns="http://www.w3.org/1999/xhtml"/>
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a <i xmlns="http://www.w3.org/1999/xhtml">catalog, not a
checklist,</i> and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF <i xmlns="http://www.w3.org/1999/xhtml">Profiles</i>, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP).
</description>
<notice xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.</notice>
<front-matter xml:lang="en-US">
<p xmlns="http://www.w3.org/1999/xhtml">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="Layer_1" xml:space="preserve" height="140px" viewBox="30 100 330 150" width="350px" version="1.1" y="0px" x="0px" enable-background="new 30 100 330 150">
<g fill="#3A3B3B">
<path d="m197.1 150.3s-10.1-1.2-14.4-1.2c-7.2 0-11.0 2.6-11.0 8.3 0 6.6 3.5 7.7 12.3 9.6 10.1 2.3 14.5 4.7 14.5 13.6 0 11.2-6.1 15.6-16.1 15.6-6.0 0-16.0-1.6-16.0-1.6l0.6-4.7s9.9 1.3 15.1 1.3c7.2 0 10.8-3.1 10.8-10.2 0-5.7-3.0-7.3-11.2-8.9-10.4-2.3-15.7-4.7-15.7-14.4 0-9.8 6.4-13.6 16.3-13.6 6.0 0 15.3 1.5 15.3 1.5l-0.5 4.8z"/>
<path d="m238.7 194.6c-3.6 0.7-9.1 1.5-13.9 1.5-15.1 0-18.5-9.2-18.5-25.9 0-17.1 3.3-26.1 18.5-26.1 5.2 0 10.7 1.0 13.9 1.6l-0.2 4.7c-3.3-0.6-9.2-1.3-13.1-1.3-11.2 0-13.2 6.7-13.2 21.1 0 14.1 1.8 20.8 13.4 20.8 4.1 0 9.5-0.7 13.0-1.3l0.2 4.8z"/>
<path d="m257.5 144.9h12.3l13.9 50.5h-5.6l-3.7-13.0h-21.6l-3.7 13.0h-5.5l13.9-50.5zm-3.4 32.5h19.1l-7.7-27.7h-3.8l-7.7 27.7z"/>
<path d="m297.2 178.4v17.0h-5.6v-50.5h18.5c11.0 0 16.1 5.3 16.1 16.3 0 11.0-5.1 17.2-16.1 17.2h-12.9zm12.8-5.0c7.4 0 10.4-4.5 10.4-12.3 0-7.7-3.1-11.3-10.4-11.3h-12.8v23.6h12.8z"/>
</g>
<g fill="#676767">
<path d="m176.8 211.2s-2.8-0.3-4.0-0.3c-1.5 0-2.2 0.5-2.2 1.4 0 0.9 0.5 1.2 2.8 1.9 2.9 0.9 3.8 1.8 3.8 4.0 0 3.0-2.0 4.3-4.7 4.3-1.9 0-4.5-0.6-4.5-0.6l0.3-2.1s2.7 0.4 4.1 0.4c1.5 0 2.1-0.7 2.1-1.8 0-0.8-0.5-1.2-2.4-1.8-3.1-0.9-4.2-1.9-4.2-4.1 0-2.8 1.9-4.0 4.6-4.0 1.8 0 4.5 0.5 4.5 0.5l-0.2 2.2z"/>
<path d="m180.6 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.9v3.3h6.0v2.4h-8.8v-13.6z"/>
<path d="m201.2 222.1c-0.9 0.2-2.7 0.5-4.0 0.5-4.2 0-5.2-2.3-5.2-7.0 0-5.2 1.2-7.0 5.2-7.0 1.4 0 3.1 0.3 4.0 0.5l-0.1 2.2c-0.9-0.1-2.6-0.3-3.5-0.3-2.1 0-2.8 0.7-2.8 4.6 0 3.7 0.5 4.6 2.8 4.6 0.9 0 2.6-0.2 3.4-0.3l0.1 2.3z"/>
<path d="m209.5 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8-3.4 0-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"/>
<path d="m221.3 217.8v4.6h-2.8v-13.6h5.3c3.1 0 4.8 1.4 4.8 4.5 0 1.9-0.8 3.1-2.0 3.9l1.9 5.2h-3.0l-1.6-4.6h-2.7zm2.5-6.7h-2.5v4.3h2.6c1.4 0 1.9-1.0 1.9-2.2 0-1.3-0.7-2.2-2.0-2.2z"/>
<path d="m231.9 208.7h2.8v13.6h-2.8v-13.6z"/>
<path d="m237.4 208.7h10.0v2.4h-3.6v11.2h-2.8v-11.2h-3.6v-2.4z"/>
<path d="m255.7 222.3h-2.8v-5.5l-4.2-8.1h3.1l2.5 5.4 2.5-5.4h3.1l-4.2 8.1v5.5z"/>
<path d="m273.4 215.1h4.0v7.1s-2.9 0.5-4.6 0.5c-4.4 0-5.6-2.5-5.6-7.0 0-5.0 1.4-7.0 5.5-7.0 2.1 0 4.7 0.6 4.7 0.6l-0.1 2.1s-2.4-0.3-4.2-0.3c-2.4 0-3.1 0.8-3.1 4.6 0 3.6 0.5 4.6 3.0 4.6 0.8 0 1.7-0.1 1.7-0.1v-2.6h-1.2v-2.4z"/>
<path d="m286 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8s-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"/>
<path d="m295.0 208.7h2.8v13.6h-2.8v-13.6z"/>
<path d="m301.8 222.3v-13.6h4.6c4.7 0 5.8 2.0 5.6 6.5 0 4.6-0.9 7.1-5.8 7.1h-4.6zm4.6-11.2h-1.8v8.8h1.8c2.7 0 2.9-1.6 2.9-4.7 0-3.0-0.3-4.1-3.0-4.1z"/>
<path d="m315.5 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.8v3.3h6.0v2.4h-8.8v-13.6z"/>
</g>
<path d="m116.0 204.9h-2.8c-1.5 0-2.8 1.2-2.8 2.7v19.2c0 1.5 1.3 2.7 2.8 2.7h27.9c1.5 0 2.8-1.2 2.8-2.7v-19.2c0-1.5-1.3-2.7-2.8-2.7h-2.8v-8.2c0-6.1-5.0-11.0-11.2-11.0-6.2 0-11.2 4.9-11.2 11.0v8.2zm5.6-8.2c0-3.0 2.5-5.5 5.6-5.4 3.1 0 5.6 2.4 5.6 5.5v8.2h-11.2v-8.2z" fill="#6D0B2B"/>
<g fill="#AD1D3F">
<path d="m106.4 214.7c-16.4 11.4-37.5 7.8-50.0-3.4l11.9-11.7c2.3-1.9 3.4-5.4 1.2-8.8-0.1-0.1-6.7-11.0 2.3-19.8 7.3-7.2 17.8-5.8 23.3-0.3 3.2 3.1 4.9 7.1 4.9 11.4v0.1c0 4.3-1.8 8.5-5.1 11.7-4.0 3.9-9.6 5.4-15.4 4.1-2.1-0.5-4.3 0.8-4.8 2.9-0.5 2.1 0.8 4.2 2.9 4.7 8.4 2.0 16.9-0.3 22.8-6.1 4.9-4.8 7.5-10.9 7.4-17.4-0.0-6.3-2.6-12.3-7.3-16.8-8.2-8.1-23.8-10.3-34.5 0.3-10.7 10.5-6.6 23.8-3.7 28.8l-12.8 12.6c-2.9 2.9-2.3 6.6-0.2 8.7 15.4 15.2 38.7 17.9 56.9 8.2l-0.0-9.1z"/>
<path d="m43.9 188.4c-1.1-7.5-1.1-21.8 11.2-33.9 8.0-7.9 18.5-12.0 29.5-11.7 10.2 0.3 20.1 4.5 27.1 11.4 7.6 7.4 11.8 17.3 11.9 27.8v0.1c1.16-0.3 2.4-0.4 3.6-0.4 1.5 0 2.9 0.2 4.3 0.6 0-0.1 0.0-0.2 0.0-0.3-0.1-12.5-5.2-24.3-14.2-33.2-8.4-8.3-20.2-13.3-32.4-13.7-13.2-0.5-25.8 4.5-35.4 14.0-9.1 8.9-14.0 20.8-14.0 33.3 0 2.4 0.2 4.8 0.5 7.2 0.6 4.0 1.8 8.1 3.7 12.2 0.9 2.0 3.2 2.8 5.2 1.9 2.0-0.9 2.9-3.1 2.0-5.1-1.5-3.3-2.6-6.8-3.1-10.1z"/>
</g>
<circle cy="218.49" cx="127.26" r="3.233" fill="#fff"/>
</svg>
</p>
</front-matter>
<rear-matter xml:lang="en-US">Red Hat and Fedora are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform idref="cpe:/o:fedoraproject:fedora:21"/>
<platform idref="cpe:/o:fedoraproject:fedora:20"/>
<platform idref="cpe:/o:fedoraproject:fedora:19"/>
<version>0.0.4</version>
<model system="urn:xccdf:scoring:default"/>
<Profile id="xccdf_org.ssgproject.content_profile_common">
<title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems</title>
<description xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</description>
<select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="12"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/>
<refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="5_minutes"/>
</Profile>
<Value id="xccdf_org.ssgproject.content_value_conditional_clause" operator="equals" type="string">
<title xml:lang="en-US">A conditional clause for check statements.</title>
<description xml:lang="en-US">A conditional clause for check statements.</description>
<value>This is a placeholder.</value>
</Value>
<Group id="xccdf_org.ssgproject.content_group_intro">
<title xml:lang="en-US">Introduction</title>
<description xml:lang="en-US"><!-- purpose and scope of guidance -->
The purpose of this guidance is to provide security configuration
recommendations and baselines for the Fedora operating system.
Recommended settings for the basic operating system are provided,
as well as for many network services that the system can provide
to other systems.
<!-- audience -->The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well
as some familiarity with Fedora's documentation and administration
conventions. Some instructions within this guide are complex.
All directions should be followed completely and with understanding of
their effects in order to avoid serious adverse effects on the system
and its security.
</description>
<Group id="xccdf_org.ssgproject.content_group_general-principles">
<title xml:lang="en-US">General Principles</title>
<description xml:lang="en-US">
The following general principles motivate much of the advice in this
guide and should also influence any configuration decisions that are
not explicitly covered.
</description>
<Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">
<title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
<description xml:lang="en-US">
Data transmitted over a network, whether wired or wireless, is susceptible
to passive monitoring. Whenever practical solutions for encrypting
such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly
important. Networks of Fedora machines can and should be configured
so that no unencrypted authentication data is ever transmitted between
machines.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-minimize-software">
<title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
<description xml:lang="en-US">
The simplest way to avoid vulnerabilities in software is to avoid
installing that software. On Fedora, the RPM Package Manager (originally
Red Hat Package Manager, abbreviated RPM) allows for careful management of
the set of software packages installed on a system. Installed software
contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give
this opportunity to network-based attackers. Packages that include
programs which are predictably executed by local users (e.g. after
graphical login) may provide opportunities for trojan horses or other
attack code to be run undetected. The number of software packages
installed on a system can almost always be significantly pruned to include
only the software for which there is an environmental or operational need.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-separate-servers">
<title xml:lang="en-US">Run Different Network Services on Separate Systems</title>
<description xml:lang="en-US">
Whenever possible, a server should be dedicated to serving exactly one
network service. This limits the number of other services that can
be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools">
<title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
<description xml:lang="en-US">
Several tools exist which can be effectively used to improve a system's
resistance to and detection of unknown attacks. These tools can improve
robustness against attack at the cost of relatively little configuration
effort. In particular, this guide recommends and discusses the use of
Iptables for host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for
detection of problems.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-least-privilege">
<title xml:lang="en-US">Least Privilege</title>
<description xml:lang="en-US">
Grant the least privilege necessary for user accounts and software to perform tasks.
For example, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.
</description>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_how-to-use">
<title xml:lang="en-US">How to Use This Guide</title>
<description xml:lang="en-US">
Readers should heed the following points when using the guide.
</description>
<Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely">
<title xml:lang="en-US">Read Sections Completely and in Order</title>
<description xml:lang="en-US">
Each section may build on information and recommendations discussed in
prior sections. Each section should be read and understood completely;
instructions should never be blindly applied. Relevant discussion may
occur after instructions for an action.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-test-non-production">
<title xml:lang="en-US">Test in Non-Production Environment</title>
<description xml:lang="en-US">
This guidance should always be tested in a non-production environment
before deployment. This test environment should simulate the setup in
which the system will be deployed as closely as possible.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed">
<title xml:lang="en-US">Root Shell Environment Assumed</title>
<description xml:lang="en-US">
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/bin/bash</xhtml:code> shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> whenever possible, or use
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code> to gain root privileges if <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions">
<title xml:lang="en-US">Formatting Conventions</title>
<description xml:lang="en-US">
Commands intended for shell execution, as well as configuration file text,
are featured in a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">monospace font</xhtml:code>. <i xmlns="http://www.w3.org/1999/xhtml">Italics</i> are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-reboot-required">
<title xml:lang="en-US">Reboot Required</title>
<description xml:lang="en-US">
A system reboot is implicitly required after some actions in order to
complete the reconfiguration of the system. In many cases, the changes
will not take effect until a reboot is performed. In order to ensure
that changes are applied properly and to test functionality, always
reboot the system after applying a set of recommendations from this guide.
</description>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_system">
<title xml:lang="en-US">System Settings</title>
<Group id="xccdf_org.ssgproject.content_group_software">
<title xml:lang="en-US">Installing and Maintaining Software</title>
<description xml:lang="en-US">The following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.</description>
<Group id="xccdf_org.ssgproject.content_group_updating">
<title xml:lang="en-US">Updating Software</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the <b xmlns="http://www.w3.org/1999/xhtml">System</b> menu, in the <b xmlns="http://www.w3.org/1999/xhtml">Administration</b> submenu,
called <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Fedora systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Tools such as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> or the graphical <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b> ensure usage of RPM
packages for software installation. This allows for insight into the current
inventory of installed software on the system, and is highly recommended.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="false" severity="high">
<title xml:lang="en-US">gpgcheck Enabled In Main Yum Configuration</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.conf</xhtml:code> in
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[main]</xhtml:code> section:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">352</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">663</reference>
<rationale xml:lang="en-US">
Ensuring the validity of packages' cryptographic signatures prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:249" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GPG checking is not enabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To determine whether <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> is configured to use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code>,
inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.conf</xhtml:code> and ensure the following appears in the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[main]</xhtml:code> section:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre>
A value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1</xhtml:code> indicates that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> is enabled. Absence of a
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> line or a setting of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code> indicates that it is
disabled.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="false" severity="high">
<title xml:lang="en-US">gpgcheck Enabled For All Yum Package Repositories</title>
<description xml:lang="en-US">To ensure signature checking is not disabled for
any repos, remove any lines from files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</xhtml:code> of the form:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">352</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">663</reference>
<rationale xml:lang="en-US">
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:195" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GPG checking is disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To determine whether <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> has been configured to disable
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> for any repos, inspect all files in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</xhtml:code> and ensure the following does not appear in any
sections:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre>
A value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code> indicates that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> has been disabled for that repo.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_integrity">
<title xml:lang="en-US">Software Integrity Checking</title>
<description xml:lang="en-US">
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Integrity checking cannot <i xmlns="http://www.w3.org/1999/xhtml">prevent</i> intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
</description>
<Group id="xccdf_org.ssgproject.content_group_aide">
<title xml:lang="en-US">Verify Integrity with AIDE</title>
<description xml:lang="en-US">AIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/share/doc/aide-<i xmlns="http://www.w3.org/1999/xhtml">VERSION</i></xhtml:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="false" severity="medium">
<title xml:lang="en-US">Install AIDE</title>
<description xml:lang="en-US">
Install the AIDE package with the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo yum install aide</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1069</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">DS</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20121024</dc:date>
</reference>
<rationale xml:lang="en-US">
The AIDE package must be installed if it is to be available for integrity checking.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the package is not installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">aide</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q aide</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_disable_prelink" selected="false" severity="low">
<title xml:lang="en-US">Disable Prelinking</title>
<description xml:lang="en-US">
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/prelink</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">PRELINKING=no</pre>
Next, run the following command to return binaries to a normal, non-prelinked state:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo /usr/sbin/prelink -ua</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<rationale xml:lang="en-US">
The prelinking feature can interfere with the operation
of AIDE, because it changes binaries.
</rationale>
<fixtext reboot="1">asdasdasd</fixtext>
<fixtext>asdasdsdfasdfasd</fixtext>
<fixtext>asdfasdfsdasdasd</fixtext>
<fix system="urn:xccdf:fix:script:sh" reboot="true">#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
</fix>
<fix system="urn:xccdf:fix:script:sh">#
# Disable presdfasdfasdflinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:151" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_aide_build_database" selected="false" severity="medium">
<title xml:lang="en-US">Build and Test AIDE Database</title>
<description xml:lang="en-US">Run the following command to generate a new database:
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init</pre>
By default, the database will be written to the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/lib/aide/aide.db.new.gz</xhtml:code>.
Storing the database, the configuration file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/aide.conf</xhtml:code>, and the binary
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/sbin/aide</xhtml:code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
<pre xmlns="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
To initiate a manual check, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check</pre>
If this check produces any unexpected output, investigate.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<rationale xml:lang="en-US">
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="false" severity="medium">
<title xml:lang="en-US">Configure Periodic Execution of AIDE</title>
<description xml:lang="en-US">
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/crontab</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">05 4 * * * root /usr/sbin/aide --check</pre>
AIDE can be executed periodically through other means; this is merely one example.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">374</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">416</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1069</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1297</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1589</reference>
<rationale xml:lang="en-US">
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
</rationale>
<check system="ocil-transitional">
<check-export export-name="there is no output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To determine that periodic AIDE execution has been scheduled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep aide /etc/crontab</pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_rpm_verification">
<title xml:lang="en-US">Verify Integrity with RPM</title>
<description xml:lang="en-US">The RPM package management system includes the ability
to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the
package metadata stored in the RPM database. Although an attacker
could corrupt the RPM database (analogous to attacking the AIDE
database as described above), this check can still reveal
modification of important files. To list which files on the system differ from what is expected by the RPM database:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qVa</pre>
See the man page for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpm</xhtml:code> to see a complete explanation of each column.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="false" severity="low">
<title xml:lang="en-US">Verify and Correct File Permissions with RPM</title>
<description xml:lang="en-US">
The RPM package management system can check file access
permissions of installed software packages, including many that are
important to system security.
After locating a file with incorrect permissions, run the following command to determine which package owns it:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre>
Next, run the following command to reset its permissions to
the correct values:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm --setperms <i>PACKAGENAME</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1494</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1495</reference>
<rationale xml:lang="en-US">
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.</rationale>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The following command will list which files on the system have permissions different from what
is expected by the RPM database:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^.M'</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="false" severity="low">
<title xml:lang="en-US">Verify File Hashes with RPM</title>
<description xml:lang="en-US">The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^..5'</pre>
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre>
The package can be reinstalled from a yum repository using the command:
<pre xmlns="http://www.w3.org/1999/xhtml">yum reinstall <i>PACKAGENAME</i></pre>
Alternatively, the package can be reinstalled from trusted media using the command:
<pre xmlns="http://www.w3.org/1999/xhtml">rpm -Uvh <i>PACKAGENAME</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1496</reference>
<rationale xml:lang="en-US">
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.</rationale>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content> The following command will list which files on the system
have file hashes different from what is expected by the RPM database.
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'</pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_additional_security_software">
<title xml:lang="en-US">Additional Security Software</title>
<description xml:lang="en-US">
Additional security software that is not provided or supported
by Red Hat can be installed to provide complementary or duplicative
security capabilities to those provided by the base platform. Add-on
software may not be appropriate for some specialized systems.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_install_hids" selected="false" severity="high">
<title xml:lang="en-US">Install Intrusion Detection Software</title>
<description xml:lang="en-US">
The Red Hat platform includes a sophisticated auditing system
and SELinux, which provide host-based intrusion detection capabilities.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</reference>
<rationale xml:lang="en-US">
Host-based intrusion detection tools provide a system-level defense when an
intruder gains access to a system or network.
</rationale>
<check system="ocil-transitional">
<check-export export-name="no host-based intrusion detection tools are installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect the system to determine if intrusion detection software has been installed.
Verify this intrusion detection software is active.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_install_antivirus" selected="false" severity="low">
<title xml:lang="en-US">Install Virus Scanning Software</title>
<description xml:lang="en-US">
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem.
The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.
Ensure virus definition files are no older than 7 days, or their last release.
<!-- need info here on where DoD admins can go to get this -->
Configure the virus scanning software to perform scans dynamically on all
accessed files. If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.
<!-- what's the basis for the IAO language? would not failure of a check
imply a discussion, for every check in this document,
with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your
particular neighborhood) should occur? -->
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-3</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1239</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</reference>
<rationale xml:lang="en-US">
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:188" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect the system for a cron job or system service which executes
a virus scanning tool regularly.
<br xmlns="http://www.w3.org/1999/xhtml"/>
<!-- this should be handled as DoD-specific text in a future revision -->
To verify the McAfee VSEL system service is operational,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># /etc/init.d/nails status</pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
To check on the age of uvscan virus definition files, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># cd /opt/NAI/LinuxShield/engine/dat
# ls -la avvscan.dat avvnames.dat avvclean.dat</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_permissions">
<title xml:lang="en-US">File Permissions and Masks</title>
<description xml:lang="en-US">Traditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
</description>
<Group id="xccdf_org.ssgproject.content_group_mounting">
<title xml:lang="en-US">Restrict Dynamic Mounting and Unmounting of
Filesystems</title>
<description xml:lang="en-US">Linux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
<pre xmlns="http://www.w3.org/1999/xhtml">$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</pre>
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Modprobe Loading of USB Storage Driver</title>
<description xml:lang="en-US">
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">usb-storage</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install usb-storage /bin/false</xhtml:pre>
This will prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">modprobe</xhtml:code> program from loading the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">usb-storage</xhtml:code>
module, but will not prevent an administrator (or another program) from using the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insmod</xhtml:code> program to load the module manually.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</reference>
<rationale xml:lang="en-US">USB storage devices such as thumb drives can be used to introduce
malicious software.</rationale>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
If the system is configured to prevent the loading of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">usb-storage</xhtml:code> kernel module,
it will contain lines inside any file in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.conf</xhtml:code>.
These lines instruct the module loading system to run another program (such as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/bin/false</xhtml:code>) upon a module <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install</xhtml:code> event.
Run the following command to search for such lines in all files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>
and the deprecated <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bootloader_nousb_argument" selected="false" severity="low">
<title xml:lang="en-US">Disable Kernel Support for USB via Bootloader Configuration</title>
<description xml:lang="en-US">
All USB support can be disabled by adding the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nousb</xhtml:code>
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.conf</xhtml:code> as shown:
<pre xmlns="http://www.w3.org/1999/xhtml">kernel /vmlinuz-<i>VERSION</i> ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</pre>
<i xmlns="http://www.w3.org/1999/xhtml"><b>WARNING:</b> Disabling all kernel support for USB will cause problems for
systems with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.</i></description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<rationale xml:lang="en-US">Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" selected="false" severity="low">
<title xml:lang="en-US">Disable Booting from USB Devices in Boot Firmware</title>
<description xml:lang="en-US">Configure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<rationale xml:lang="en-US">Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bios_assign_password" selected="false" severity="low">
<title xml:lang="en-US">Assign Password to Prevent Changes to Boot Firmware Configuration</title>
<description xml:lang="en-US">Assign a password to the system boot firmware (historically called BIOS on PC
systems) to require a password for any configuration changes.
</description>
<rationale xml:lang="en-US">Assigning a password to the system boot firmware prevents anyone
with physical access from configuring the system to boot
from local media and circumvent the operating system's access controls.
For systems in physically secure locations, such as
a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed
against the risk of administrative personnel being unable to conduct recovery operations in
a timely fashion.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable the Automounter</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/misc/cd</xhtml:code>.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>
rather than relying on the automounter.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable autofs.service</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</reference>
<rationale xml:lang="en-US">Disabling the automounter permits the administrator to
statically control filesystem mounting through <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>autofs</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>autofs</xhtml:code> --list
<xhtml:code>autofs</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service autofs status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" selected="false" severity="low">
<title xml:lang="en-US">Disable GNOME3 Automounting</title>
<description xml:lang="en-US">The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount</xhtml:code>, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount-open</xhtml:code>, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autorun-never</xhtml:code> settings must be set
under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<rationale xml:lang="en-US">Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:217" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GNOME automounting is not disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
These settings can be verified by running the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.media-handling automount
$ gsettings get org.gnome.desktop.media-handling automount-open
$ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">false</xhtml:code>.
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount-open</xhtml:code>should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">false</xhtml:code>.
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autorun-never</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot enable automount and autorun in GNOME3, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/media-handling/automount</xhtml:code>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount-open</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/media-handling/auto-open</xhtml:code>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autorun-never</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/media-handling/autorun-never</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of cramfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">cramfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install cramfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of freevxfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">freevxfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install freevxfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of jffs2</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">jffs2</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install jffs2 /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of hfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install hfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of hfsplus</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hfsplus</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install hfsplus /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of squashfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">squashfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install squashfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of udf</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">udf</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install udf /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" selected="false" severity="low">
<title xml:lang="en-US">Disable All GNOME3 Thumbnailers</title>
<description xml:lang="en-US">The system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disable-all</xhtml:code> setting must be set
under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem
(via a web upload for example) and assuming a user browses the same location using Nautilus, the
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:255" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GNOME automounting is not disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
These settings can be verified by running the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.thumbnailers disable-all</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot how long until the the screensaver locks, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep disable-all /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/thumbnailers/disable-all</xhtml:code>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs">
<title xml:lang="en-US">Verify File Permissions Within Some Important Directories</title>
<description xml:lang="en-US">Some directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time,
particularly if unpackaged software is installed. As such, an argument exists
to verify that files' permissions within these directories remain configured
correctly and restrictively.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="false" severity="medium">
<title xml:lang="en-US">Shared Library Files Have Restrictive Permissions</title>
<description xml:lang="en-US">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are stored in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/lib/modules</xhtml:code>. All files in these directories should not be
group-writable or world-writable. If any file in these directories is found to
be group-writable or world-writable, correct its permission with the following
command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the
system.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:240" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="false" severity="medium">
<title xml:lang="en-US">Shared Library Files Have Root Ownership</title>
<description xml:lang="en-US">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are also
stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/lib/modules</xhtml:code>. All files in these directories should be owned
by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user. If the directory, or any file in these directories,
is found to be owned by a user other than root correct its ownership with the
following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:148" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="false" severity="medium">
<title xml:lang="en-US">System Executables Have Restrictive Permissions</title>
<description xml:lang="en-US">
System executables are stored in the following directories by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</pre>
All files in these directories should not be group-writable or world-writable.
If any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found to be group-writable or
world-writable, correct its permission with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">System binaries are executed by privileged users, as well as system
services, and restrictive permissions are necessary to ensure execution of
these programs cannot be co-opted.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:233" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="false" severity="medium">
<title xml:lang="en-US">System Executables Have Root Ownership</title>
<description xml:lang="en-US">
System executables are stored in the following directories by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</pre>
All files in these directories should be owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user. If
any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found to be owned by a user other
than root, correct its ownership with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">System binaries are executed by privileged users as well as system
services, and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:138" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_restrictions">
<title xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title>
<description xml:lang="en-US">The recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs.</description>
<Group id="xccdf_org.ssgproject.content_group_daemon_umask">
<title xml:lang="en-US">Daemon Umask</title>
<description xml:lang="en-US">The umask is a per-process setting which limits
the default permissions for creation of new files and directories.
The system includes initialization scripts which set the default umask
for system daemons.
</description>
<Value id="xccdf_org.ssgproject.content_value_var_umask_for_daemons" operator="equals" type="string">
<title xml:lang="en-US">daemon umask</title>
<description xml:lang="en-US">Enter umask for daemons</description>
<value>022</value>
<value selector="022">022</value>
<value selector="027">027</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_umask_for_daemons" selected="false" severity="low">
<title xml:lang="en-US">Set Daemon Umask</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init.d/functions</xhtml:code> includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
<i xmlns="http://www.w3.org/1999/xhtml">UMASK</i> appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <i>UMASK</i></pre>
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<rationale xml:lang="en-US">The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the value of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code>, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep umask /etc/init.d/functions</pre>
The output should show either <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">022</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">027</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_coredumps">
<title xml:lang="en-US">Disable Core Dumps</title>
<description xml:lang="en-US">A core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Once a hard limit is set in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</xhtml:code>, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">limits.conf</xhtml:code> man page for more
information.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The core dumps of setuid programs are further protected. The
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code> variable <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fs.suid_dumpable</xhtml:code> controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.</description>
<Rule id="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="false" severity="low">
<title xml:lang="en-US">Disable Core Dumps for All Users</title>
<description xml:lang="en-US">To disable core dumps for all users, add the following line to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard core 0</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference>
<rationale xml:lang="en-US">A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.</rationale>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that core dumps are disabled for all users, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep core /etc/security/limits.conf</pre>
The output should be:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard core 0</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="false" severity="low">
<title xml:lang="en-US">Disable Core Dumps for SUID programs</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fs.suid_dumpable</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w fs.suid_dumpable=0</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">fs.suid_dumpable = 0</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-11</reference>
<rationale xml:lang="en-US">The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data.</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fs.suid_dumpable</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl fs.suid_dumpable</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_enable_execshield_settings">
<title xml:lang="en-US">Enable ExecShield</title>
<description xml:lang="en-US">ExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code> variables
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.exec-shield</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</xhtml:code>. On the latest
64-bit systems, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.exec-shield</xhtml:code> cannot be enabled or disabled with
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="false" severity="medium">
<title xml:lang="en-US">Enable ExecShield</title>
<description xml:lang="en-US">By default on Fedora 64-bit systems, ExecShield is enabled and can
only be disabled if the hardware does not support ExecShield or is disabled in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/default/grub</xhtml:code>. For Fedora 32-bit systems, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code> can be
used to enable ExecShield.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range. This is enabled by default on the latest Red Hat and Fedora
systems if supported by the hardware.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:175" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration." value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify ExecShield is enabled on 64-bit Fedora systems, run the following
command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ dmesg | grep '[NX|DX]*protection'</pre>
The output should not contain <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">'disabled by kernel command line option'</xhtml:code>.
To verify that ExecShield has not been disabled in the kernel configuration,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo grep noexec /boot/grub2/grub.cfg</pre>
The output should not return <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">noexec=off</xhtml:code>.
For 32-bit Fedora systems, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sysctl kernel.exec-shield</pre>
The output should be:
<pre xmlns="http://www.w3.org/1999/xhtml">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.exec-shield</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w kernel.exec-shield=1</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.exec-shield = 1</xhtml:pre></pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="false" severity="medium">
<title xml:lang="en-US">Enable Randomized Layout of Virtual Address Space</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w kernel.randomize_va_space=2</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.randomize_va_space = 2</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US"> Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation. Additionally, ASLR
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl kernel.randomize_va_space</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">2</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_enable_nx">
<title xml:lang="en-US">Enable Execute Disable (XD) or No Execute (NX) Support on
x86 Systems</title>
<description xml:lang="en-US">Recent processors in the x86 family support the
ability to prevent code execution on a per memory page basis.
Generically and on AMD processors, this ability is called No
Execute (NX), while on Intel processors it is called Execute
Disable (XD). This ability can help prevent exploitation of buffer
overflow vulnerabilities and should be activated whenever possible.
Extra steps must be taken to ensure that this protection is
enabled, particularly on 32-bit x86 systems. Other processors, such
as Itanium and POWER, have included such support since inception
and the standard kernel for those platforms supports the
feature. This is enabled by default on the latest Red Hat and
Fedora systems if supported by the hardware.</description>
<Rule id="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" selected="false" severity="low">
<title xml:lang="en-US">Install PAE Kernel on Supported 32-bit x86 Systems</title>
<description xml:lang="en-US">Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo yum install kernel-PAE</pre>
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this at reboot
and modify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/default/grub</xhtml:code> if necessary.</description>
<warning xml:lang="en-US" override="false" category="hardware">The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
this may prevent them from booting.</warning>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">On 32-bit systems that support the XD or NX bit, the vendor-supplied
PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" selected="false" severity="low">
<title xml:lang="en-US">Enable NX or XD Support in the BIOS</title>
<description xml:lang="en-US">Reboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.</rationale>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_enable_dmesg_restriction" selected="false" severity="low">
<title xml:lang="en-US">Restrict Access to Kernel Message Buffer</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.dmesg_restrict</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w kernel.dmesg_restrict=1</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.dmesg_restrict = 1</xhtml:pre>
</description>
<rationale xml:lang="en-US">Unprivileged access to the kernel syslog can expose sensitive kernel
address information.</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.dmesg_restrict</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl kernel.dmesg_restrict</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts">
<title xml:lang="en-US">Account and Access Control</title>
<description xml:lang="en-US">In traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under Fedora.
</description>
<Group id="xccdf_org.ssgproject.content_group_accounts-restrictions">
<title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
<description xml:lang="en-US">Conventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> and
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.</description>
<Group id="xccdf_org.ssgproject.content_group_root_logins">
<title xml:lang="en-US">Restrict Root Logins</title>
<description xml:lang="en-US">
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login</xhtml:code> program
uses the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> to determine which interfaces
should allow root logins.
The virtual devices <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/console</xhtml:code>
and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/tty*</xhtml:code> represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/vc/*</xhtml:code>.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Furthermore, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/hvc*</xhtml:code> represent virtio-serial
consoles, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/hvsi*</xhtml:code> IBM pSeries serial consoles, and finally
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/xvc0</xhtml:code> Xen virtual console. Root should also be prohibited
from connecting via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="false" severity="medium">
<title xml:lang="en-US">Direct root Logins Not Allowed</title>
<description xml:lang="en-US">To further limit access to the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> account, administrators
can disable root logins at the console by editing the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to his machine as root via Telnet, which sends the password in
plain text over the network. By default, Fedora's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> file
only allows the root user to login at the console physically attached to the
machine. To prevent root from logging in, remove the contents of this file.
To prevent direct root logins, remove the contents of this file by typing the
following command:
<pre xmlns="http://www.w3.org/1999/xhtml">
echo > /etc/securetty
</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<rationale xml:lang="en-US">
Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This scenario is nowadays required
by security standards.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the /etc/securetty file is not empty" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure root may not directly login to the system over physical consoles,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">cat /etc/securetty</pre>
If any output is returned, this is a finding.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="false" severity="medium">
<title xml:lang="en-US">Virtual Console Root Logins Restricted</title>
<description xml:lang="en-US">
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">vc/1
vc/2
vc/3
vc/4</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
<rationale xml:lang="en-US">
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:281" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="root login over virtual console devices is permitted" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check for virtual console entries which permit root login, run the
following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^vc/[0-9] /etc/securetty</pre>
If any output is returned, then root logins over virtual console devices is permitted.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="false" severity="low">
<title xml:lang="en-US">Serial Port Root Logins Restricted</title>
<description xml:lang="en-US">To restrict root logins on serial ports,
ensure lines of this form do not appear in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">ttyS0
ttyS1</pre>
<!-- TODO: discussion/description of serial port -->
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
<rationale xml:lang="en-US">
Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:245" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="root login over serial ports is permitted" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check for serial port entries which permit root login,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^ttyS/[0-9] /etc/securetty</pre>
If any output is returned, then root login over serial ports is permitted.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_root_webbrowsing" selected="false" severity="low">
<title xml:lang="en-US">Web Browser Use for Administrative Accounts Restricted</title>
<description xml:lang="en-US">
Enforce policy requiring administrative accounts use web browsers only for
local service administration.
</description>
<rationale xml:lang="en-US">
If a browser vulnerability is exploited while running with administrative privileges,
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.
</rationale>
<check system="ocil-transitional">
<check-export export-name="this is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Check the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> home directory for a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.mozilla</xhtml:code> directory. If
one exists, ensure browsing is limited to local service administration.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="false" severity="medium">
<title xml:lang="en-US">System Accounts Do Not Run a Shell Upon Login</title>
<description xml:lang="en-US">
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The login shell for each local account is stored in the last field of each line
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>. System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account <i xmlns="http://www.w3.org/1999/xhtml">SYSACCT</i> (other than root) has a login shell,
disable it with the command:
<pre xmlns="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin <i>SYSACCT</i></pre>
</description>
<warning xml:lang="en-US" override="false" category="functionality">
Do not perform the steps in this
section on the root account. Doing so might cause the system to
become inaccessible.
</warning>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">178</reference>
<rationale xml:lang="en-US">
Ensuring shells are not given to system accounts upon login
makes it more difficult for attackers to make use of
system accounts.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:207" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any system account (other than root) has a login shell" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To obtain a listing of all users,
their UIDs, and their shells, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre>
Identify the system accounts from this listing. These will
primarily be the accounts with UID numbers less than 500, other
than root.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" selected="false" severity="medium">
<title xml:lang="en-US">Only Root Has UID 0</title>
<description xml:lang="en-US">
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:276" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any account other than root has a UID of 0" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To list all password file entries for accounts with UID 0, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd</pre>
This should print only one line, for the user root.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_root_path_default" selected="false" severity="low">
<title xml:lang="en-US">Root Path Is Vendor Default</title>
<description xml:lang="en-US">
Assuming root shell is bash, edit the following files:
<pre xmlns="http://www.w3.org/1999/xhtml">~/.profile</pre>
<pre xmlns="http://www.w3.org/1999/xhtml">~/.bashrc</pre>
Change any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> variables to the vendor default for root and remove any
empty <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> entries or references to relative paths.
</description>
<rationale xml:lang="en-US">
The root account's executable search path must be the vendor default, and must
contain only absolute paths.
</rationale>
<check system="ocil-transitional">
<check-export export-name="any of these conditions are not met" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To view the root user's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code>, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># env | grep PATH</pre>
If correctly configured, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> must: use vendor default settings,
have no empty entries, and have no entries beginning with a character
other than a slash (/).
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_password_storage">
<title xml:lang="en-US">Proper Storage and Existence of Password Hashes</title>
<description xml:lang="en-US">
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code>. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="false" severity="high">
<title xml:lang="en-US">Log In to Accounts With Empty Password Impossible</title>
<description xml:lang="en-US">If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nullok</xhtml:code>
option in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> to
prevent logins with empty passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<rationale xml:lang="en-US">
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational
environments.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:127" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="NULL passwords can be used" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that null passwords cannot be used, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep nullok /etc/pam.d/system-auth</pre>
If this produces any output, it may be possible to log into accounts
with empty passwords.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" selected="false" severity="medium">
<title xml:lang="en-US">Password Hashes For Each Account Shadowed</title>
<description xml:lang="en-US">
If any password hashes are stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> (in the second field,
instead of an <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">x</xhtml:code>), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">201</reference>
<rationale xml:lang="en-US">
The hashes for all user account passwords should be stored in
the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> and never in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>,
which is readable by all users.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:267" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any stored hashes are found in /etc/passwd" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that no password hashes are stored in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd</pre>
If it produces any output, then a password hash is
stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="false" severity="low">
<title xml:lang="en-US">All GIDs referenced in /etc/passwd Defined in /etc/group</title>
<description xml:lang="en-US">
Add a group to the system for each GID referenced without a corresponding group.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">
Inconsistency in GIDs between <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/group</xhtml:code> could lead to a user having unintended rights.
</rationale>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure all GIDs referenced in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> are defined in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/group</xhtml:code>,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># pwck -qr</pre>
There should be no output.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="false" severity="medium">
<title xml:lang="en-US">netrc Files Do Not Exist</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files should be removed.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</reference>
<rationale xml:lang="en-US">
Unencrypted passwords for remote FTP servers may be stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code>
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:200" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any .netrc files exist" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the system for the existence of any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># find /home -xdev -name .netrc</pre>
<!-- needs fixup to limit search to home dirs -->
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_password_expiration">
<title xml:lang="en-US">Set Password Expiration Parameters</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> controls several
password-related settings. Programs such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">passwd</xhtml:code>,
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code>, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login</xhtml:code> consult <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login.defs(5)</xhtml:code> for more information.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS</xhtml:code> and apply it to existing accounts with the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-M</xhtml:code> flag.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS</xhtml:code> (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-m</xhtml:code>) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_WARN_AGE</xhtml:code> (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-W</xhtml:code>) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
For example, for each existing human user <i xmlns="http://www.w3.org/1999/xhtml">USER</i>, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER</pre>
</description>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" type="number">
<title xml:lang="en-US">minimum password length</title>
<description xml:lang="en-US">Minimum number of characters in password</description>
<warning xml:lang="en-US" override="false" category="general">This will only check new passwords</warning>
<value>12</value>
<value selector="6">6</value>
<value selector="8">8</value>
<value selector="10">10</value>
<value selector="12">12</value>
<value selector="14">14</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" type="number">
<title xml:lang="en-US">maximum password age</title>
<description xml:lang="en-US">Maximum age of password in days</description>
<warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
<value>60</value>
<value selector="60">60</value>
<value selector="90">90</value>
<value selector="120">120</value>
<value selector="180">180</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" type="number">
<title xml:lang="en-US">minimum password age</title>
<description xml:lang="en-US">Minimum age of password in days</description>
<warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
<value>7</value>
<value selector="7">7</value>
<value selector="5">5</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" type="number">
<title xml:lang="en-US">warning days before password expires</title>
<description xml:lang="en-US">The number of days' warning given before a password expires.</description>
<warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
<value>7</value>
<value selector="0">0</value>
<value selector="7">7</value>
<value selector="14">14</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="false" severity="medium">
<title xml:lang="en-US">Password Minimum Length</title>
<description xml:lang="en-US">To specify password length requirements for new accounts,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN <b>LENGTH</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
Nowadays recommended values, considered as secure by various organizations
focused on topic of computer security, range from <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">12 (FISMA)</xhtml:code> up to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">14 (DoD)</xhtml:code> characters for password length requirements.
If a program consults <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> and also another PAM module
(such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib</xhtml:code>) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">205</reference>
<rationale xml:lang="en-US">
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or
counterproductive behavior that may result.
</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_password_minlen_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>"
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:475" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs"/>
<check-content-ref name="oval:ssg:def:251" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the minimum password length, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_LEN /etc/login.defs</pre>
Passwords of length <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">12</xhtml:code> characters and more are nowadays
considered to be a standard requirement.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="false" severity="medium">
<title xml:lang="en-US">Password Minimum Age</title>
<description xml:lang="en-US">To specify password minimum age for new accounts,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <b>DAYS</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
A value greater than 1 day is considered to be sufficient for many environments.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">198</reference>
<rationale xml:lang="en-US">
Setting the minimum password age protects against users cycling
back to a favorite password after satisfying the password reuse
requirement.
</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_minimum_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/>"
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:477" value-id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs"/>
<check-content-ref name="oval:ssg:def:283" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the minimum password age, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_DAYS /etc/login.defs</pre>
A value greater than 1 day is considered to be sufficient for many environments.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="false" severity="medium">
<title xml:lang="en-US">Password Maximum Age</title>
<description xml:lang="en-US">To specify password maximum age for new accounts,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <b>DAYS</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
A value less than 180 days is sufficient for many environments.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(g)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">180</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">199</reference>
<rationale xml:lang="en-US">
Setting the password maximum age ensures users are required to
periodically change their passwords. This could possibly decrease
the utility of a stolen password. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_maximum_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/>"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:464" value-id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs"/>
<check-content-ref name="oval:ssg:def:136" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the maximum password age, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MAX_DAYS /etc/login.defs</pre>
A value less than 180 days is sufficient for many environments.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="false" severity="low">
<title xml:lang="en-US">Password Warning Age</title>
<description xml:lang="en-US">To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <b>DAYS</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
A value of 7 days would be nowadays considered to be a standard.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<rationale xml:lang="en-US">
Setting the password warning age enables users to make the change
at a practical time.
</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_password_warn_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>"
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:472" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs"/>
<check-content-ref name="oval:ssg:def:231" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the password warning age, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_WARN_AGE /etc/login.defs</pre>
A value of 7 days would be nowadays considered to be a standard.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-session">
<title xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title>
<description xml:lang="en-US">When a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators.</description>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" operator="equals" type="number">
<title xml:lang="en-US">Maximum concurrent login sessions</title>
<description xml:lang="en-US">Maximum number of concurrent sessions by a user</description>
<value>1</value>
<value selector="1">1</value>
<value selector="3">3</value>
<value selector="5">5</value>
<value selector="10">10</value>
<value selector="15">15</value>
<value selector="20">20</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="false" severity="low">
<title xml:lang="en-US">Limit the Number of Concurrent Login Sessions Allowed Per User</title>
<description xml:lang="en-US">
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent
sessions per user add the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard maxlogins <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-10</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">54</reference>
<rationale xml:lang="en-US">Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it is not similar" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to ensure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxlogins</xhtml:code> value is configured for all users
on the system:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "maxlogins" /etc/security/limits.conf</pre>
You should receive output similar to the following:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard maxlogins 10</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_root_paths">
<title xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title>
<description xml:lang="en-US">The active path of the root account can be obtained by
starting a new root shell and running:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo echo $PATH</pre>
This will produce a colon-separated list of
directories in the path.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Certain path elements could be considered dangerous, as they could lead
to root executing unknown or
untrusted programs, which could contain malicious
code.
Since root may sometimes work inside
untrusted directories, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.</xhtml:code> character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
It is a good practice for administrators to always execute
privileged commands by typing the full path to the
command.</description>
<Rule id="xccdf_org.ssgproject.content_rule_root_path_no_dot" selected="false" severity="low">
<title xml:lang="en-US">Ensure that Root's Path Does Not Include Relative Paths or Null Directories</title>
<description xml:lang="en-US">
Ensure that none of the directories in root's path is equal to a single
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.</xhtml:code> character, or
that it contains any instances that lead to relative path traversal, such as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">..</xhtml:code> or beginning a path without the slash (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/</xhtml:code>) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
<pre xmlns="http://www.w3.org/1999/xhtml">PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin</pre>
These empty elements have the same effect as a single <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.</xhtml:code> character.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">
Including these entries increases the risk that root could
execute code from an untrusted location.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable" selected="false" severity="low">
<title xml:lang="en-US">Ensure that Root's Path Does Not Include World or Group-Writable Directories</title>
<description xml:lang="en-US">
For each element in root's path, run:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld <i>DIR</i></pre>
and ensure that write permissions are disabled for group and
other.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">
Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:274" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="group or other write permissions exist" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure write permissions are disabled for group and other
for each element in root's path, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld <i>DIR</i></pre>
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_homedir_perms_no_groupwrite_worldread" selected="false" severity="low">
<title xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
<description xml:lang="en-US">For each human user of the system, view the
permissions of the user's home directory:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld /home/<i>USER</i></pre>
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo chmod g-w /home/<i>USER</i>
$ sudo chmod o-rwx /home/<i>USER</i></pre>
</description>
<warning xml:lang="en-US" override="false" category="general">This action may involve
modifying user home directories. Notify your user community, and
solicit input if appropriate, before making this type of
change.</warning>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">
User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have
write permission to another user's home directory. Group shared
directories can be configured in sub-directories or elsewhere in the
filesystem if they are needed. Typically, user home directories
should not be world-readable, as it would disclose file names
to other users. If a subset of users need read access
to one another's home directories, this can be provided using
groups or ACLs.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:155" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the user home directory is group-writable or world-readable" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the user home directory is not group-writable or world-readable, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld /home/<i>USER</i></pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_user_umask">
<title xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title>
<description xml:lang="en-US">
The umask setting controls the default permissions
for the creation of new files.
With a default <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
<!--In addition, it may be necessary to change root's <tt>umask</tt>
temporarily in order to install software or files which must be
readable by other users, or to change the default umasks of certain
service accounts such as the FTP user. However, setting a
restrictive default protects the files of users who have not taken
steps to make their files more available, and preventing files from
being inadvertently shared.-->
</description>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_user_umask" operator="equals" type="string">
<title xml:lang="en-US">Sensible umask</title>
<description xml:lang="en-US">Enter default user umask</description>
<value>027</value>
<value selector="007">007</value>
<value selector="022">022</value>
<value selector="027">027</value>
<value selector="077">077</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_bashrc" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default Bash Umask is Set Correctly</title>
<description xml:lang="en-US">
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/bashrc</xhtml:code> to read
as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/bashrc</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/bashrc</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/bashrc
umask 077
umask 077</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_cshrc" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default C Shell Umask is Set Correctly</title>
<description xml:lang="en-US">
To ensure the default umask for users of the C shell is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/csh.cshrc</xhtml:code> to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/csh.cshrc</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/csh.cshrc</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown in the below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/csh.cshrc
umask 077</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default Umask is Set Correctly in /etc/profile</title>
<description xml:lang="en-US">
To ensure the default umask controlled by <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/profile</xhtml:code> is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/profile</xhtml:code> to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/profile</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/profile</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown in the below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/profile
umask 077</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_login_defs" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default Umask is Set Correctly in login.defs</title>
<description xml:lang="en-US">
To ensure the default umask controlled by <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">UMASK</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">UMASK <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">UMASK</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep -i "UMASK" /etc/login.defs</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown in the below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep -i "UMASK" /etc/login.defs
umask 077</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-pam">
<title xml:lang="en-US">Protect Accounts by Configuring PAM</title>
<description xml:lang="en-US">PAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
PAM looks in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d</xhtml:code> for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/login</xhtml:code>
to determine what actions should be taken.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
One very important file in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d</xhtml:code> is
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.</description>
<warning xml:lang="en-US" override="false" category="general">Be careful when making changes to PAM's
configuration files. The syntax for these files is complex, and
modifications can have unexpected consequences. The default
configurations shipped with applications should be sufficient for
most users.</warning>
<warning xml:lang="en-US" override="false" category="general">Running <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">authconfig</xhtml:code> or
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">system-config-authentication</xhtml:code> will re-write the PAM configuration
files, destroying any manually made changes and replacing them with
a series of system defaults. One reference to the configuration
file syntax can be found at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html.</warning>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" operator="equals" type="number">
<title xml:lang="en-US">remember</title>
<description xml:lang="en-US">The last n passwords for each user are saved in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/opasswd</xhtml:code> in order to force password change history and
keep the user from alternating between the same password too
frequently.</description>
<value>24</value>
<value selector="0">0</value>
<value selector="5">5</value>
<value selector="10">10</value>
<value selector="24">24</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="false" severity="low">
<title xml:lang="en-US">Set Last Logon/Access Notification</title>
<description xml:lang="en-US">To configure the system to notify users of last logon/access
using <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_lastlog</xhtml:code>, add the following line immediately after <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">session required pam_limits.so</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">session required pam_lastlog.so showfailed</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">53</reference>
<rationale xml:lang="en-US">
Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</rationale>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure that last logon/access notification is configured correctly, run
the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_lastlog.so /etc/pam.d/system-auth</pre>
The output should show output <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">showfailed</xhtml:code>.
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_password_quality">
<title xml:lang="en-US">Set Password Quality Requirements</title>
<description xml:lang="en-US">The default <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> module is the preferred way of configuring
password requirements.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib</xhtml:code> PAM module can also provide strength
checking for passwords as the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> module.
It performs a number of checks, such as making sure passwords are
not similar to dictionary words, are of at least a certain length,
are not the previous password reversed, and are not simply a change
of case from the previous password. It can also require passwords to
be in certain character classes.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_passwdqc</xhtml:code> PAM module also provides the ability to enforce
stringent password strength requirements. It is provided
in an RPM of the same name and can be configured by setting the configuration
settings in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwdqc.conf</xhtml:code>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The man pages <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib(8)</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_passwdqc(8)</xhtml:code>
provide information on the capabilities and configuration of
each.</description>
<Group id="xccdf_org.ssgproject.content_group_password_quality_pwquality">
<title xml:lang="en-US">Set Password Quality Requirements with pam_pwquality</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> PAM module can be configured to meet
requirements for a variety of policies.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
For example, to configure <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> to require at least one uppercase
character, lowercase character, digit, and other (special)
character, make sure that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> exists in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=</pre>
If no such line exists, add one as the first line of the password section in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>.
Next, modify the settings in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to match the following:
<pre xmlns="http://www.w3.org/1999/xhtml">difok = 4
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3</pre>
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
</description>
<warning xml:lang="en-US" override="false" category="general">Note that the password quality
requirements are not enforced for the root account for some
reason.</warning>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_retry" operator="equals" type="number">
<title xml:lang="en-US">retry</title>
<description xml:lang="en-US">Number of retry attempts before erroring out</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" operator="equals" type="number">
<title xml:lang="en-US">maxrepeat</title>
<description xml:lang="en-US">Maximum Number of Consecutive Repeating Characters in a Password</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_minlen" operator="equals" type="number">
<title xml:lang="en-US">minlen</title>
<description xml:lang="en-US">Minimum number of characters in password</description>
<value>14</value>
<value selector="6">6</value>
<value selector="8">8</value>
<value selector="10">10</value>
<value selector="12">12</value>
<value selector="14">14</value>
<value selector="15">15</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" operator="equals" type="number">
<title xml:lang="en-US">dcredit</title>
<description xml:lang="en-US">Minimum number of digits in password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" operator="equals" type="number">
<title xml:lang="en-US">ocredit</title>
<description xml:lang="en-US">Minimum number of other (special characters) in
password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" operator="equals" type="number">
<title xml:lang="en-US">lcredit</title>
<description xml:lang="en-US">Minimum number of lower case in password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" operator="equals" type="number">
<title xml:lang="en-US">ucredit</title>
<description xml:lang="en-US">Minimum number of upper case in password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_difok" operator="equals" type="number">
<title xml:lang="en-US">difok</title>
<description xml:lang="en-US">Minimum number of characters not present in old
password</description>
<warning xml:lang="en-US" override="false" category="general">Keep this high for short
passwords</warning>
<value>4</value>
<value selector="2">2</value>
<value selector="3">3</value>
<value selector="4">4</value>
<value selector="5">5</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_minclass" operator="equals" type="number">
<title xml:lang="en-US">minclass</title>
<description xml:lang="en-US">Minimum number of categories of characters that must exist in a password</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
<value selector="4">4</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" operator="equals" type="number">
<title xml:lang="en-US">fail_deny</title>
<description xml:lang="en-US">Number of failed login attempts before account lockout</description>
<value>3</value>
<value selector="3">3</value>
<value selector="5">5</value>
<value selector="10">10</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" operator="equals" type="number">
<title xml:lang="en-US">fail_unlock_time</title>
<description xml:lang="en-US">Seconds before automatic unlocking after excessive failed logins</description>
<value>604800</value>
<value selector="900">900</value>
<value selector="1800">1800</value>
<value selector="3600">3600</value>
<value selector="86400">86400</value>
<value selector="604800">604800</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" operator="equals" type="number">
<title xml:lang="en-US">fail_interval</title>
<description xml:lang="en-US">Interval for counting failed login attempts before account lockout</description>
<value>900</value>
<value selector="900">900</value>
<value selector="1800">1800</value>
<value selector="3600">3600</value>
<value selector="86400">86400</value>
<value selector="100000000">100000000</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="false" severity="low">
<title xml:lang="en-US">Set Password Retry Prompts Permitted Per-Session</title>
<description xml:lang="en-US">To configure the number of retry prompts that are permitted per-session:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality.so</xhtml:code> statement in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> to
show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">retry=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" use="legacy"/></xhtml:code>, or a lower value if site policy is more restrictive.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The DoD requirement is a maximum of 3 prompts per session.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:467" value-id="xccdf_org.ssgproject.content_value_var_password_pam_retry"/>
<check-content-ref name="oval:ssg:def:185" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many retry attempts are permitted on a per-session basis, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_pwquality /etc/pam.d/system-auth</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">retry</xhtml:code> parameter will indicate how many attempts are permitted.
The DoD required value is less than or equal to 3.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">retry=3</xhtml:code>, or a lower value.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" selected="false" severity="low">
<title xml:lang="en-US">Set Password to Maximum of Three Consecutive Repeating Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat</xhtml:code> parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat</xhtml:code> setting
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to prevent a run of (<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/> + 1) or more identical characters.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:473" value-id="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat"/>
<check-content-ref name="oval:ssg:def:235" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="maxrepeat is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the maximum value for consecutive repeating characters, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep maxrepeat /etc/security/pwquality.conf</pre>
Look for the value of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat</xhtml:code> parameter. The DoD requirement is 3 which would
appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat = 3</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Digit Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit</xhtml:code> parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require the use of a digit in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">194</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:478" value-id="xccdf_org.ssgproject.content_value_var_password_pam_dcredit"/>
<check-content-ref name="oval:ssg:def:285" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="dcredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many digits are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep dcredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit</xhtml:code> parameter (as a negative number) will indicate how many digits are required.
The DoD requires at least one digit in a password. This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="false" severity="low">
<title xml:lang="en-US">Set Password Minimum Length</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minlen</xhtml:code> parameter controls requirements for
minimum characters required in a password. Add <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minlen=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" use="legacy"/></xhtml:code>
after pam_pwquality to set minimum password length requirements.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">205</reference>
<reference href="">78</reference>
<rationale xml:lang="en-US">
Password length is one factor of several that helps to determine
strength and how long it takes to crack a password. Use of more characters in
a password helps to exponentially increase the time and/or resources
required to compromise the password.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:468" value-id="xccdf_org.ssgproject.content_value_var_password_pam_minlen"/>
<check-content-ref name="oval:ssg:def:190" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="minlen is not found or not set to the required value (or higher)" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep minlen /etc/security/pwquality.conf</pre>
Your output should contain <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minlen = <sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" use="legacy"/></xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Uppercase Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit=</xhtml:code> parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require the use of an uppercase character in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of uppercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:469" value-id="xccdf_org.ssgproject.content_value_var_password_pam_ucredit"/>
<check-content-ref name="oval:ssg:def:214" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="ucredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many uppercase characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep ucredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit</xhtml:code> parameter (as a negative number) will indicate how many uppercase characters are required.
The DoD and FISMA require at least one uppercase character in a password.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Special Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit=</xhtml:code> parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number, any password will be
required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require use of a special character in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:471" value-id="xccdf_org.ssgproject.content_value_var_password_pam_ocredit"/>
<check-content-ref name="oval:ssg:def:229" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="ocredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many special characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep ocredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit</xhtml:code> parameter (as a negative number) will indicate how many special characters are required.
The DoD and FISMA require at least one special character in a password.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Lowercase Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit</xhtml:code> parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require the use of a lowercase character in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:476" value-id="xccdf_org.ssgproject.content_value_var_password_pam_lcredit"/>
<check-content-ref name="oval:ssg:def:262" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="lcredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many lowercase characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep lcredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit</xhtml:code> parameter (as a negative number) will indicate how many special characters are required.
The DoD and FISMA require at least one lowercase character in a password.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Different Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok</xhtml:code> parameter controls requirements for usage of different
characters during a password change. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code>
to require differing characters when changing passwords. The DoD requirement is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">4</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:474" value-id="xccdf_org.ssgproject.content_value_var_password_pam_difok"/>
<check-content-ref name="oval:ssg:def:247" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="difok is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many characters must differ during a password change, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep difok /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok</xhtml:code> parameter will indicate how many characters must differ. The DoD requires four characters
differ during a password change. This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok = 4</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Different Categories</title>
<description xml:lang="en-US">The pam_cracklib module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass</xhtml:code> parameter controls requirements for
usage of different character classes, or types, of character that must exist in a password
before it is considered valid. For example, setting this value to three (3) requires that
any password must have characters from at least three different categories in order to be
approved. The default value is zero (0), meaning there are no required classes. There are
four categories available:
<pre xmlns="http://www.w3.org/1999/xhtml">
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
</pre>
Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> entry to require
differing categories of characters when changing passwords. The minimum requirement is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">3</xhtml:code>.
</description>
<rationale xml:lang="en-US">
Requiring a minimum number of character categories makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:463" value-id="xccdf_org.ssgproject.content_value_var_password_pam_minclass"/>
<check-content-ref name="oval:ssg:def:129" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="minclass is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many categories of characters must be used in password during a password change,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep minclass /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass</xhtml:code> parameter will indicate how many character classes must be used. If
the requirement was for the password to contain characters from three different categories,
then this would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass = 3</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_locking_out_password_attempts">
<title xml:lang="en-US">Set Lockouts for Failed Password Attempts</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock</xhtml:code> PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/share/doc/pam-VERSION/txts/README.pam_faillock</xhtml:code>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
</description>
<warning xml:lang="en-US" override="false" category="general">Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks.</warning>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="false" severity="medium">
<title xml:lang="en-US">Set Deny For Failed Password Attempts</title>
<description xml:lang="en-US">
To configure the system to lock out accounts after a number of incorrect login
attempts using <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code>:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Add the following lines immediately below the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> statement in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">AUTH</xhtml:code> section of
both <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> and /etc/pam.d/password-auth:
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=604800 fail_interval=900</pre>
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=604800 fail_interval=900</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:466" value-id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny"/>
<check-content-ref name="oval:ssg:def:157" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_faillock /etc/pam.d/system-auth</pre>
The output should show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">deny=3</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="false" severity="medium">
<title xml:lang="en-US">Set Lockout Time For Failed Password Attempts</title>
<description xml:lang="en-US">
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code>:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Add the following lines immediately below the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_env.so</xhtml:code> statement in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=900</pre>
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=900</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">47</reference>
<rationale xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
</rationale>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_faillock /etc/pam.d/system-auth</pre>
The output should show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">unlock_time=<some-large-number></xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_fail_interval" selected="false" severity="medium">
<title xml:lang="en-US">Set Interval For Counting Failed Password Attempts</title>
<description xml:lang="en-US">
Utilizing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code>, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval</xhtml:code> directive configures the system to lock out accounts after a number of incorrect login
attempts.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Add the following <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval</xhtml:code> directives to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code> immediately below the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_env.so</xhtml:code> statement in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/password-auth</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></pre>
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1452</reference>
<rationale xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
</rationale>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
For each file, the output should show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval=<interval-in-seconds></xhtml:code> where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">interval-in-seconds</xhtml:code> is 900 (15 minutes) or greater. If the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval</xhtml:code> parameter is not set, the default setting of 900 seconds is acceptable.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="false" severity="medium">
<title xml:lang="en-US">Limit Password Reuse</title>
<description xml:lang="en-US">Do not allow users to reuse recent passwords. This can
be accomplished by using the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">remember</xhtml:code> option for the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix</xhtml:code> PAM
module. In the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>, append <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">remember=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></xhtml:code> to the
line which refers to the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> module, as shown:
<pre xmlns="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so <i>existing_options</i> remember=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></pre>
The DoD and FISMA requirement is 24 passwords.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:470" value-id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember"/>
<check-content-ref name="oval:ssg:def:225" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the password reuse setting is compliant, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep remember /etc/pam.d/system-auth</pre>
The output should show the following at the end of the line:
<pre xmlns="http://www.w3.org/1999/xhtml">remember=24</pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm">
<title xml:lang="en-US">Set Password Hashing Algorithm</title>
<description xml:lang="en-US">The system's default algorithm for storing password hashes in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> is SHA-512. This can be configured in several
locations.</description>
<Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="false" severity="medium">
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/pam.d/system-auth</title>
<description xml:lang="en-US">
In <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password</xhtml:code> section of
the file controls which PAM modules execute during a password change.
Set the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> module in the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password</xhtml:code> section to include the argument <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sha512</xhtml:code>, as shown below:
<pre xmlns="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so sha512 <i>other arguments...</i></pre>
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password</xhtml:code> section of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> and
ensure that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> module includes the argument
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sha512</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep sha512 /etc/pam.d/system-auth</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="false" severity="medium">
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/login.defs</title>
<description xml:lang="en-US">
In <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
<pre xmlns="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:153" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> and ensure the following line appears:
<pre xmlns="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="false" severity="medium">
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/libuser.conf</title>
<description xml:lang="en-US">
In <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/libuser.conf</xhtml:code>, add or correct the following line in its
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[defaults]</xhtml:code> section to ensure the system will use the SHA-512
algorithm for password hashing:
<pre xmlns="http://www.w3.org/1999/xhtml">crypt_style = sha512</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/libuser.conf</xhtml:code> and ensure the following line appears
in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[default]</xhtml:code> section:
<pre xmlns="http://www.w3.org/1999/xhtml">crypt_style = sha512</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-physical">
<title xml:lang="en-US">Protect Physical Console Access</title>
<description xml:lang="en-US">It is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console.</description>
<Group id="xccdf_org.ssgproject.content_group_bootloader">
<title xml:lang="en-US">Set Boot Loader Password</title>
<description xml:lang="en-US">During the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Fedora boot loader for x86 systems is called GRUB2.
Options it can pass to the kernel include <i xmlns="http://www.w3.org/1999/xhtml">single-user mode</i>, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg" selected="false" severity="medium">
<title xml:lang="en-US">Verify /boot/grub2/grub.cfg User Ownership</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should
be owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user to prevent destruction
or modification of the file.
To properly set the owner of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chown root/boot/grub2/grub.cfg</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
<rationale xml:lang="en-US">
Only root should be able to modify important boot parameters.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:237" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the ownership of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ls -lL /boot/grub2/grub.cfg</xhtml:pre>
If properly configured, the output should indicate the following owner:
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg" selected="false" severity="medium">
<title xml:lang="en-US">Verify /boot/grub2/grub.cfg Group Ownership</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should
be group-owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> group to prevent
destruction or modification of the file.
To properly set the group owner of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chgrp root/boot/grub2/grub.cfg</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
<rationale xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:278" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the group ownership of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ls -lL /boot/grub2/grub.cfg</xhtml:pre>
If properly configured, the output should indicate the following group-owner.
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="false" severity="medium">
<title xml:lang="en-US">Verify /boot/grub2/grub.cfg Permissions</title>
<description xml:lang="en-US">File permissions for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should be set to 600, which
is the default.
To properly set the permissions of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chmod 600/boot/grub2/grub.cfg</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
<rationale xml:lang="en-US">
Proper permissions ensure that only the root user can modify important boot
parameters.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:192" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the permissions of /boot/grub2/grub.cfg, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -lL /boot/grub2/grub.cfg</pre>
If properly configured, the output should indicate the following
permissions: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-rw-------</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bootloader_password" selected="false" severity="medium">
<title xml:lang="en-US">Set Boot Loader Password</title>
<description xml:lang="en-US">The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.d</xhtml:code>.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grub2-mkpasswd-pbkdf2</pre>
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.d</xhtml:code> immediately after the superuser account.
(Use the output from <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub2-mkpasswd-pbkdf2</xhtml:code> as the value of
<b xmlns="http://www.w3.org/1999/xhtml">password-hash</b>):
<pre xmlns="http://www.w3.org/1999/xhtml">password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
<br xmlns="http://www.w3.org/1999/xhtml"/>
To meet FISMA Moderate, the bootloader superuser account and password MUST
differ from the root account and password.
Once the superuser account and password have been added, update the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub.cfg</xhtml:code> file by running:
<pre xmlns="http://www.w3.org/1999/xhtml">grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
NOTE: Do NOT manually add the superuser account and password to the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub.cfg</xhtml:code> file as the grub2-mkconfig command overwrites this file.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
<rationale xml:lang="en-US">
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. For more information on how to configure
the grub2 superuser account and password, please refer to
<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html</li>.
</ul>
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:264" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the boot loader superuser account and superuser account password have
been set, and the password encrypted, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">sudo grep -A1 "superusers\|password" /etc/grub2.cfg</pre>
The output should show the following:
<pre xmlns="http://www.w3.org/1999/xhtml">set superusers="<b>superusers-account</b>"
password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="false" severity="medium">
<title xml:lang="en-US">Require Authentication for Single User Mode</title>
<description xml:lang="en-US">Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
By default, single-user mode is protected by requiring a password and is set
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/lib/systemd/system/rescue.service</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
<rationale xml:lang="en-US">
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:298" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the output is different" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check if authentication is required for single-user mode, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep sulogin /usr/lib/systemd/system/rescue.service</pre>
The output should be similar to the following, and the line must begin with
ExecStart and /sbin/sulogin:
<pre xmlns="http://www.w3.org/1999/xhtml">ExecStart=-/sbin/sulogin</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="false" severity="high">
<title xml:lang="en-US">Disable Ctrl-Alt-Del Reboot Activation</title>
<description xml:lang="en-US">
By default, the system includes the following line in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</xhtml:code>
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
<pre xmlns="http://www.w3.org/1999/xhtml">exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
To configure the system to log a message instead of
rebooting the system, alter that line to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
</description>
<rationale xml:lang="en-US">
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
In the GNOME graphical environment, risk of unintentional reboot from the
Ctrl-Alt-Del sequence is reduced because the user will be
prompted before any action is taken.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the system is configured to run the shutdown command" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the system is configured to log a message instead of rebooting the system when
Ctrl-Alt-Del is pressed, ensure the following line is in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_disable_interactive_boot" selected="false" severity="medium">
<title xml:lang="en-US">Disable Interactive Boot</title>
<description xml:lang="en-US">
To disable the ability for users to perform interactive startups,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/init</xhtml:code>.
Add or correct the line:
<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PROMPT</xhtml:code> option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-2</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
<rationale xml:lang="en-US">
Using interactive boot,
the console user could disable auditing, firewalls, or other
services, weakening system security.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check whether interactive boot is disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PROMPT /etc/sysconfig/init</pre>
If interactive boot is disabled, the output will show:
<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_screen_locking">
<title xml:lang="en-US">Configure Screen Locking</title>
<description xml:lang="en-US">When a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.</description>
<Group id="xccdf_org.ssgproject.content_group_gui_screen_locking">
<title xml:lang="en-US">Configure GUI Screen Locking</title>
<description xml:lang="en-US">In the default GNOME3 desktop, the screen can be locked
by selecting the user name in the far right corner of the main panel and
selecting <b xmlns="http://www.w3.org/1999/xhtml">Lock</b>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The following sections detail commands to enforce idle activation of the screensaver,
screen locking, a blank-screen screensaver, and an idle
activation time.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The root account can be screen-locked; however,
the root account should <i xmlns="http://www.w3.org/1999/xhtml">never</i> be used
to log into an X Windows environment and should only be used to
for direct login via console in emergency circumstances.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
For more information about enforcing preferences in the GNOME3 environment using the DConf
configuration system, see <b xmlns="http://www.w3.org/1999/xhtml">http://wiki.gnome.org/dconf</b> and
the man page <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf(1)</xhtml:code>. For Red Hat specific information on configuring DConf
settings, see <b xmlns="http://www.w3.org/1999/xhtml">https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.html</b>
</description>
<Value id="xccdf_org.ssgproject.content_value_inactivity_timeout_value" operator="equals" type="number">
<title xml:lang="en-US">Inactivity timeout</title>
<description xml:lang="en-US">Choose allowed duration of inactive SSH connections, shells, and X sessions</description>
<value>900</value>
<value selector="5_minutes">300</value>
<value selector="10_minutes">600</value>
<value selector="15_minutes">900</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="false" severity="medium">
<title xml:lang="en-US">Set GNOME3 Screensaver Inactivity Timeout</title>
<description xml:lang="en-US">
To set the idle time-out value for inactivity in the GNOME3 desktop to 5 minutes (in seconds),
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">idle-delay</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
<rationale xml:lang="en-US">
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:479" value-id="xccdf_org.ssgproject.content_value_inactivity_timeout_value"/>
<check-content-ref name="oval:ssg:def:294" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the current idle time-out value, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.session idle-delay</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">300</xhtml:code>.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep idle-delay /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/session/idle-delay</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable GNOME3 Screensaver Idle Activation</title>
<description xml:lang="en-US">
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">idle-activation-enabled</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
<rationale xml:lang="en-US">
Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:269" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>To check the screensaver mandatory use status, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/idle-activation-enabled</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable GNOME3 Screensaver Lock After Idle Period</title>
<description xml:lang="en-US">
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-enabled</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-delay</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
<rationale xml:lang="en-US">
Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:287" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the status of the idle screen lock activation, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver lock-enabled</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To check that the screen locks when activated, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver lock-delay</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
To ensure that users cannot change how long until the the screensaver locks, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep 'lock-enabled\|lock-delay' /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-enabled</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/lock-enabled</xhtml:code>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-delay</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/lock-delay</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="false" severity="low">
<title xml:lang="en-US">Implement Blank Screensaver</title>
<description xml:lang="en-US">
To set the screensaver mode in the GNOME3 desktop to a blank screen,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">picture-uri</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">60</reference>
<rationale xml:lang="en-US">
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:172" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the screensaver is configured to be blank, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver picture-uri</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">''</xhtml:code>.
To ensure that users cannot set the screensaver background, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep picture-uri /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/picture-uri</xhtml:code>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_console_screen_locking">
<title xml:lang="en-US">Configure Console Screen Locking</title>
<description xml:lang="en-US">
A console screen locking mechanism is provided in the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package, which is not installed by default.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="false" severity="low">
<title xml:lang="en-US">Install the screen Package</title>
<description xml:lang="en-US">
To enable console screen locking, install the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo yum install screen</pre>
Instruct users to begin new terminal sessions with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ screen</pre>
The console can now be locked with the following key combination:
<pre xmlns="http://www.w3.org/1999/xhtml">ctrl+a x</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">58</reference>
<rationale xml:lang="en-US">
Installing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> ensures a console locking capability is available
for users who may need to suspend console logins.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the package is not installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q screen</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_smart_card_login">
<title xml:lang="en-US">Hardware Tokens for Authentication</title>
<description xml:lang="en-US">
The use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username/password.
In Fedora servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_smartcard_auth" selected="false" severity="medium">
<title xml:lang="en-US">Enable Smart Card Login</title>
<description xml:lang="en-US">
To enable smart card authentication, consult the documentation at:
<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.fedoraproject.org/docs/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html</li></ul>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">765</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">766</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">767</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">768</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">771</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">772</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">884</reference>
<rationale xml:lang="en-US">Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
</rationale>
<check system="ocil-transitional">
<check-export export-name="non-exempt accounts are not using CAC authentication" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Interview the SA to determine if all accounts not exempted by policy are
using CAC authentication.
</check-content>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-banners">
<title xml:lang="en-US">Warning Banners for System Accesses</title>
<description xml:lang="en-US">Each system should expose as little information about
itself as possible.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.</description>
<Value id="xccdf_org.ssgproject.content_value_login_banner_text" operator="equals" type="string">
<title xml:lang="en-US">Login Banner Verbiage</title>
<description xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description>
<value selector="usgcb_default">--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.</value>
<value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value>
<value selector="dod_short">I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_set_system_login_banner" selected="false" severity="medium">
<title xml:lang="en-US">Modify the System Login Banner</title>
<description xml:lang="en-US">
To configure the system login banner:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/issue</xhtml:code>. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
<br xmlns="http://www.w3.org/1999/xhtml"/>-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
<br xmlns="http://www.w3.org/1999/xhtml"/>-At any time, the USG may inspect and seize data stored on this IS.
<br xmlns="http://www.w3.org/1999/xhtml"/>-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
<br xmlns="http://www.w3.org/1999/xhtml"/>-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
<br xmlns="http://www.w3.org/1999/xhtml"/>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.</xhtml:code>
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
OR:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">I've read & consent to terms in IS user agreem't.</xhtml:code>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1384</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1385</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1386</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1387</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1388</reference>
<rationale xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:456" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/>
<check-content-ref name="oval:ssg:def:253" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not display the required banner" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check if the system login banner is compliant,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ cat /etc/issue</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_gui_login_banner">
<title xml:lang="en-US">Implement a GUI Warning Banner</title>
<description xml:lang="en-US">In the default graphical environment, users logging
directly into the system are greeted with a login screen provided
by the GNOME3 Display Manager (GDM). The warning banner should be
displayed in this graphical environment for these users.
The following sections describe how to configure the GDM login
banner.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable GNOME3 Login Warning Banner</title>
<description xml:lang="en-US">
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner-message-enable</xhtml:code> setting must be
set under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
To display a banner, this setting must be enabled, and the user must be prevented
from making changes. The banner text must also be set.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">50</reference>
<rationale xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:144" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure a login warning banner is enabled, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-enable /etc/dconf/db/gdm.d/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/banner-message-enable</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="false" severity="medium">
<title xml:lang="en-US">Set the GNOME3 Login Warning Banner Text</title>
<description xml:lang="en-US">
To set the text shown by the GNOME3 Display Manager
in the login screen, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner-message-text</xhtml:code> setting must be set under an
appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d</xhtml:code> directory and locked
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
When entering a warning banner that spans several lines, remember
to begin and end the string with <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">'</xhtml:code> and use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">\n</xhtml:code> for new lines.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1384</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1385</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1386</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1387</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1388</reference>
<rationale xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:456" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/>
<check-content-ref name="oval:ssg:def:197" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the login warning banner text is properly set, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-text /etc/dconf/db/gdm.d/*</pre>
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/banner-message-text</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" selected="false" severity="low">
<title xml:lang="en-US">Disable the GNOME3 Login User List</title>
<description xml:lang="en-US">In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disable-user-list</xhtml:code> setting must be
set under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-23</reference>
<rationale xml:lang="en-US">Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.</rationale>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the user list is disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep disable-user-list /etc/dconf/db/gdm.d/*</pre>
The output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot enable displaying the user list, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/disable-user-list</xhtml:code>
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_network">
<title xml:lang="en-US">Network Configuration and Firewalls</title>
<description xml:lang="en-US">Most machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.</description>
<Group id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces">
<title xml:lang="en-US">Disable Unused Interfaces</title>
<description xml:lang="en-US">Network interfaces expand the attack surface of the
system. Unused interfaces are not monitored or controlled, and
should be disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code> except for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ifcfg-lo</xhtml:code> from
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre>
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">network</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable network.service</xhtml:pre>
</description>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_network_disable_zeroconf" selected="false" severity="low">
<title xml:lang="en-US">Disable Zeroconf Networking</title>
<description xml:lang="en-US">Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">NOZEROCONF=yes</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Zeroconf addresses are in the network 169.254.0.0. The networking
scripts add entries to the system's routing table for these addresses. Zeroconf
address assignment commonly occurs when the system is configured to use DHCP
but fails to receive an address assignment from the DHCP server.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="false" severity="low">
<title xml:lang="en-US">Ensure System is Not Acting as a Network Sniffer</title>
<description xml:lang="en-US">The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
<pre xmlns="http://www.w3.org/1999/xhtml">$ ip link | grep PROMISC</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-3</reference>
<rationale xml:lang="en-US">If any results are returned, then a sniffing process (such as tcpdump
or Wireshark) is likely to be using the interface and this should be
investigated.
</rationale>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_network-ipv6">
<title xml:lang="en-US">IPv6</title>
<description xml:lang="en-US">The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_ipv6">
<title xml:lang="en-US">Disable Support for IPv6 Unless Needed</title>
<description xml:lang="en-US">
Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable" selected="false" severity="medium">
<title xml:lang="en-US">Disable IPv6 Networking Support Automatic Loading</title>
<description xml:lang="en-US">To disable support for (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ipv6</xhtml:code>) add the following line to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d/ipv6.conf</xhtml:code> (or another file in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d</xhtml:code>):
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.disable_ipv6 = 1</pre>
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
<rationale xml:lang="en-US">
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:259" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the ipv6 support is disabled on network interfaces" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
If the system uses IPv6, this is not applicable.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If the system is configured to prevent the usage of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ipv6</xhtml:code> on network interfaces, it will contain a line
of the form:
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.disable_ipv6 = 1</pre>
Such lines may be inside any file in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d</xhtml:code> directory.
This permits insertion of the IPv6 kernel module (which other parts of
the system expect to be present), but otherwise keeps all network interfaces
from using IPv6.
Run the following command to search for such
lines in all files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve">$ grep -r ipv6 /etc/sysctl.d</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces" selected="false" severity="low">
<title xml:lang="en-US">Disable Interface Usage of IPv6</title>
<description xml:lang="en-US">To disable interface usage of IPv6, add or correct the following lines in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">NETWORKING_IPV6=no
IPV6INIT=no</pre>
</description>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" selected="false" severity="low">
<title xml:lang="en-US">Disable Support for RPC IPv6</title>
<description xml:lang="en-US">RPC services for NFSv4 try to load transport modules for
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">udp6</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">tcp6</xhtml:code> by default, even if IPv6 has been disabled in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>. To prevent RPC services such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpc.mountd</xhtml:code>
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/netconfig</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_configuring_ipv6">
<title xml:lang="en-US">Configure IPv6 Settings if Necessary</title>
<description xml:lang="en-US">A major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig">
<title xml:lang="en-US">Disable Automatic Configuration</title>
<description xml:lang="en-US">Disable the system's acceptance of router
advertisements and redirects by adding or correcting the following
line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</xhtml:code> (note that this does not disable
sending router solicitations):
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_AUTOCONF=no</pre>
</description>
<Value id="xccdf_org.ssgproject.content_value_sysconfig_network_IPV6_AUTOCONF_value" operator="equals" type="string">
<title xml:lang="en-US">IPV6_AUTOCONF</title>
<description xml:lang="en-US">Toggle global IPv6 auto-configuration (only, if global
forwarding is disabled)</description>
<value>no</value>
<value selector="enabled">yes</value>
<value selector="disabled">no</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_value" operator="equals" type="string">
<title xml:lang="en-US">net.ipv6.conf.default.accept_ra</title>
<description xml:lang="en-US">Accept default router advertisements?</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_redirects_value" operator="equals" type="string">
<title xml:lang="en-US">net.ipv6.conf.default.accept_redirects</title>
<description xml:lang="en-US">Toggle ICMP Redirect Acceptance</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="false" severity="low">
<title xml:lang="en-US">Disable Accepting IPv6 Router Advertisements</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_ra</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w net.ipv6.conf.default.accept_ra=0</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.default.accept_ra = 0</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">
An illicit router advertisement message could result in a man-in-the-middle attack.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_ra</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl net.ipv6.conf.default.accept_ra</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="false" severity="medium">
<title xml:lang="en-US">Disable Accepting IPv6 Redirects</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_redirects</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w net.ipv6.conf.default.accept_redirects=0</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.default.accept_redirects = 0</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
<rationale xml:lang="en-US">
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_redirects</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl net.ipv6.conf.default.accept_redirects</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_static_address" selected="false" severity="low">
<title xml:lang="en-US">Manually Assign Global IPv6 Address</title>
<description xml:lang="en-US">To manually assign an IP address for an interface, edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>. Add or correct the
following line (substituting the correct IPv6 address):
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6ADDR=2001:0DB8::ABCD/64</pre>
Manually assigning an IP address is preferable to accepting one from routers or
from the network otherwise. The example address here is an IPv6 address
reserved for documentation purposes, as defined by RFC3849.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" selected="false" severity="low">
<title xml:lang="en-US">Use Privacy Extensions for Address</title>
<description xml:lang="en-US">To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_PRIVACY=rfc3041</pre>
Automatically-generated IPv6 addresses are based on the underlying hardware
(e.g. Ethernet) address, and so it becomes possible to track a piece of
hardware over its lifetime using its traffic. If it is important for a system's
IP address to not trivially reveal its hardware address, this setting should be
applied.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway" selected="false" severity="low">
<title xml:lang="en-US">Manually Assign IPv6 Router Address</title>
<description xml:lang="en-US">Edit the file
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>, and add or correct
the following line (substituting your gateway IP as appropriate):
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_DEFAULTGW=2001:0DB8::0001</pre>
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests">
<title xml:lang="en-US">Limit Network-Transmitted Configuration if Using Static IPv6 Addresses</title>
<description xml:lang="en-US">To limit the configuration information requested from other
systems and accepted from the network on a system that uses
statically-configured IPv6 addresses, add the following lines to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">router_solicitations</xhtml:code> setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">accept_ra_pinfo</xhtml:code> setting controls whether the system will accept
prefix info from the router.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">accept_ra_defrtr</xhtml:code> setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autoconf</xhtml:code> setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dad_transmits</xhtml:code> setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">max_addresses</xhtml:code> setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should
be set to exactly the number of statically configured global addresses
required.
</description>
</Group>
</Group>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_services">
<title xml:lang="en-US">Services</title>
<description xml:lang="en-US">
The best protection against vulnerable software is running less software. This
section describes how to review the software which Fedora installs on a system
and disable software which is not needed. It then enumerates the software
packages installed on a default Fedora system and provides guidance about which
ones can be safely disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Fedora provides a convenient minimal install option that essentially installs
the bare necessities for a functional system. When building Fedora servers, it
is highly recommended to select the minimal packages and then build up the
system from there.
</description>
<Group id="xccdf_org.ssgproject.content_group_ssh">
<title xml:lang="en-US">SSH Server</title>
<description xml:lang="en-US">The SSH protocol is recommended for remote login and remote file
transfer. SSH provides confidentiality and integrity for data exchanged between
two systems, as well as server authentication, through the use of public key
cryptography. The implementation included with the system is called OpenSSH,
and more detailed documentation is available from its website,
http://www.openssh.org. Its server program is called <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sshd</xhtml:code> and
provided by the RPM package <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">openssh-server</xhtml:code>.</description>
<Value id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" operator="equals" type="number">
<title xml:lang="en-US">SSH session Idle time</title>
<description xml:lang="en-US">Specify duration of allowed idle time.</description>
<value>300</value>
<value selector="5_minutes">300</value>
<value selector="10_minutes">600</value>
<value selector="15_minutes">900</value>
</Value>
<Group id="xccdf_org.ssgproject.content_group_ssh_server">
<title xml:lang="en-US">Configure OpenSSH Server if Necessary</title>
<description xml:lang="en-US">If the system needs to act as an SSH server, then certain changes
should be made to the OpenSSH daemon configuration file
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>. The following recommendations can be applied
to this file. See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sshd_config(5)</xhtml:code> man page for more detailed
information.</description>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="false" severity="medium">
<title xml:lang="en-US">SSH Root Login Disabled</title>
<description xml:lang="en-US">The root user should never be allowed to login to a system
directly over a network. To disable root login via SSH, add or correct the
following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">PermitRootLogin no</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
<rationale xml:lang="en-US">
Permitting direct root login reduces auditable information about who ran
privileged commands on the system and also allows direct attack attempts on
root's password.
</rationale>
<fix system="urn:xccdf:fix:script:sh">
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:243" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="false" severity="high">
<title xml:lang="en-US">SSH Access via Empty Passwords Disabled</title>
<description xml:lang="en-US">To explicitly disallow remote login from accounts with empty
passwords, add or correct the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">PermitEmptyPasswords no</pre>
Any accounts with empty passwords should be disabled immediately, and PAM
configuration should prevent users from being able to assign themselves empty
passwords.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">765</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">766</reference>
<rationale xml:lang="en-US">
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
</rationale>
<fix system="urn:xccdf:fix:script:sh">
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG
echo -e "\nPermitEmptyPasswords no" >> $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:227" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="false" severity="low">
<title xml:lang="en-US">SSH Idle Timeout Interval Used</title>
<description xml:lang="en-US">SSH allows administrators to set an idle timeout interval.
After this interval has passed, the idle user will be automatically logged out.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To set an idle timeout interval, edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code> file,
locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b>INTERVAL</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/></b></pre>
The timeout <b xmlns="http://www.w3.org/1999/xhtml">INTERVAL</b> is given in seconds. To have a timeout of 15
minutes, set <b xmlns="http://www.w3.org/1999/xhtml">INTERVAL</b> to 900.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made here. Keep in mind that some processes may stop
SSH from correctly detecting that the user is idle.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">879</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</reference>
<rationale xml:lang="en-US">
Causing idle users to be automatically logged out guards against compromises
one system leading trivially to compromises on another.
</rationale>
<fix system="urn:xccdf:fix:script:sh">sshd_idle_timeout_value="<sub idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/>"
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveInterval directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG
echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:465" value-id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value"/>
<check-content-ref name="oval:ssg:def:141" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="false" severity="low">
<title xml:lang="en-US">SSH Client Alive Count Used</title>
<description xml:lang="en-US">To ensure the SSH idle timeout occurs precisely when the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ClientAliveCountMax</xhtml:code> is set, edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code> as
follows:
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveCountMax 0</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">879</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</reference>
<rationale xml:lang="en-US">
This ensures a user login will be terminated as soon as the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ClientAliveCountMax</xhtml:code> is reached.
</rationale>
<fix system="urn:xccdf:fix:script:sh">
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveCountMax directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG
echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:205" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ntp">
<title xml:lang="en-US">Network Time Protocol</title>
<description xml:lang="en-US">The Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of machines, and that their time is consistent with the
outside world.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a
public timeserver (or one provided by your enterprise) provides globally
accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
A typical network setup involves a small number of internal systems operating as NTP
servers, and the remainder obtaining time information from those
internal servers.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
More information on how to configure the NTP server software,
including configuration of cryptographic authentication for
time data, is available at http://www.ntp.org.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable the NTP Daemon</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service can be enabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl enable ntpd.service</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</reference>
<rationale xml:lang="en-US">Enabling the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service ensures that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code>
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The NTP daemon offers all of the functionality of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpdate</xhtml:code>, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</rationale>
<fix system="urn:xccdf:fix:script:sh">#
# Install ntp package if necessary
#
yum -y install ntp
#
# Enable ntpd service (for current systemd target)
#
systemctl enable ntpd.service
#
# Start ntpd if not currently running
#
systemctl start ntpd.service
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:272" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the service is not running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine the current status of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service ntpd status</xhtml:pre>
If the service is enabled, it should return the following: <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd is running...</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="false" severity="medium">
<title xml:lang="en-US">Specify a Remote NTP Server</title>
<description xml:lang="en-US">To specify a remote NTP server for time synchronization, edit
the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ntp.conf</xhtml:code>. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for <em xmlns="http://www.w3.org/1999/xhtml">ntpserver</em>:
<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
This instructs the NTP software to contact that remote server to obtain time
data.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</reference>
<rationale xml:lang="en-US">Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
real time events.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:203" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="this is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that a remote NTP service is configured for time synchronization,
open the following file:
<pre xmlns="http://www.w3.org/1999/xhtml">/etc/ntp.conf</pre>
In the file, there should be a section similar to the following:
<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers" selected="false" severity="low">
<title xml:lang="en-US">Specify Additional Remote NTP Servers</title>
<description xml:lang="en-US">Additional NTP servers can be specified for time synchronization
in the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ntp.conf</xhtml:code>. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
<em xmlns="http://www.w3.org/1999/xhtml">ntpserver</em>:
<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
<rationale xml:lang="en-US">Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:125" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ftp">
<title xml:lang="en-US">FTP Server</title>
<description xml:lang="en-US">FTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_vsftpd">
<title xml:lang="en-US">Disable vsftpd if Possible</title>
<Rule id="xccdf_org.ssgproject.content_rule_disable_vsftpd" selected="false" severity="low">
<title xml:lang="en-US">Disable vsftpd Service</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable vsftpd.service</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
<rationale xml:lang="en-US">
Running FTP server software provides a network-based avenue
of attack, and should be disabled if not needed.
Furthermore, the FTP protocol is unencrypted and creates
a risk of compromising sensitive information.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>vsftpd</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>vsftpd</xhtml:code> --list
<xhtml:code>vsftpd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service vsftpd status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_uninstall_vsftpd" selected="false" severity="low">
<title xml:lang="en-US">Uninstall vsftpd Package</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package can be removed with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase vsftpd</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
<rationale xml:lang="en-US">
Removing the vsftpd package decreases the risk of its
accidental activation.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the package is installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q vsftpd</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">
<title xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title>
<Rule id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed" selected="false" severity="low">
<title xml:lang="en-US">Install vsftpd Package</title>
<description xml:lang="en-US">If this machine must operate as an FTP server, install the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package via the standard channels.
<pre xmlns="http://www.w3.org/1999/xhtml"># yum install vsftpd</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">After RHEL 2.1, Red Hat switched from distributing wu-ftpd with RHEL to distributing vsftpd. For security
and for consistency with future Red Hat releases, the use of vsftpd is recommended.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:168" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">
<title xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title>
<description xml:lang="en-US">The primary vsftpd configuration file is
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd.conf</xhtml:code>, if that file exists, or
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code> if it does not.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_log_transactions" selected="false" severity="low">
<title xml:lang="en-US">Enable Logging of All FTP Transactions</title>
<description xml:lang="en-US">Add or correct the following configuration options within the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code>
configuration file, located at <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES</pre>
</description>
<warning xml:lang="en-US" override="false" category="general">If verbose logging to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code> is done, sparse logging of downloads to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/xferlog</xhtml:code> will not also occur. However, the information about what files were downloaded is included in the information logged to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code></warning>
<rationale xml:lang="en-US">To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/vsftpd.log</xhtml:code>.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:167" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="xferlog_enable is missing, or is not set to yes" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Find if logging is applied to the FTP daemon.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Procedures:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep vsftpd /etc/xinetd.d/*</pre>
<pre xmlns="http://www.w3.org/1999/xhtml"># grep server_args <i>vsftpd xinetd.d startup file</i></pre>
This will indicate the vsftpd config file used when starting through xinetd.
If the <i xmlns="http://www.w3.org/1999/xhtml">server_args</i> line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.
<pre xmlns="http://www.w3.org/1999/xhtml"># grep xferlog_enable <i>vsftpd config file</i></pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_present_banner" selected="false" severity="medium">
<title xml:lang="en-US">Create Warning Banners for All FTP Users</title>
<description xml:lang="en-US">Edit the vsftpd configuration file, which resides at <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code>
by default. Add or correct the following configuration options:
<pre xmlns="http://www.w3.org/1999/xhtml">banner_file=/etc/issue</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<rationale xml:lang="en-US">This setting will cause the system greeting banner to be used for FTP connections as well.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:292" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
If FTP services are not installed, this is not applicable.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To verify this configuration, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">grep "banner_file" /etc/vsftpd/vsftpd.conf</pre>
The output should show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner_file</xhtml:code> is set to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/issue</xhtml:code>, an example of which is shown below:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "banner_file" /etc/vsftpd/vsftpd.conf
banner_file=/etc/issue</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_ftp_restrict_users">
<title xml:lang="en-US">Restrict the Set of Users Allowed to Access FTP</title>
<description xml:lang="en-US">This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
identified need for this access.</description>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" selected="false" severity="low">
<title xml:lang="en-US">Restrict Access to Anonymous Users if Possible</title>
<description xml:lang="en-US">Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
<pre xmlns="http://www.w3.org/1999/xhtml">local_enable=NO</pre>
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
these logins as much as possible.</description>
<rationale xml:lang="en-US">The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. </rationale>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_ftp_limit_users">
<title xml:lang="en-US">Limit Users Allowed FTP Access if Necessary</title>
<description xml:lang="en-US">If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
<pre xmlns="http://www.w3.org/1999/xhtml">userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers
userlist_deny=NO</pre>
Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</xhtml:code>. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
<pre xmlns="http://www.w3.org/1999/xhtml">USERNAME</pre>
If anonymous access is also required, add the anonymous usernames to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</xhtml:code> as well.
<pre xmlns="http://www.w3.org/1999/xhtml">anonymous
ftp</pre>
</description>
<rationale xml:lang="en-US">Historically, the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ftpusers</xhtml:code> contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">userlist deny=NO</xhtml:code> is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.</rationale>
</Group>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads" selected="false" severity="low">
<title xml:lang="en-US">Disable FTP Uploads if Possible</title>
<description xml:lang="en-US">Is there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
<pre xmlns="http://www.w3.org/1999/xhtml">write_enable=NO</pre>
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.</description>
<rationale xml:lang="en-US">Anonymous FTP can be a convenient way to make files available for universal download. However, it is less
common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it
is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_home_partition" selected="false" severity="low">
<title xml:lang="en-US">Place the FTP Home Directory on its Own Partition</title>
<description xml:lang="en-US">By default, the anonymous FTP root is the home directory of the FTP user account. The df command can
be used to verify that this directory is on its own partition.</description>
<rationale xml:lang="en-US">If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent
these users from filling a disk used by other services.</rationale>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_ftp_configure_firewall">
<title xml:lang="en-US">Configure Firewalls to Protect the FTP Server</title>
<description xml:lang="en-US">By default, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">iptables</xhtml:code>
blocks access to the ports used by the web server.
To configure <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">iptables</xhtml:code> to allow port
21 traffic one must edit
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</xhtml:code> and
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</xhtml:code> (if IPv6 is in use).
Add the following line, ensuring that it appears before the final LOG
and DROP lines for the INPUT chain:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT</xhtml:pre>
Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables-config</xhtml:code>. Ensure that the space-separated list of modules contains
the FTP connection tracking module:
<pre xmlns="http://www.w3.org/1999/xhtml">IPTABLES_MODULES="ip_conntrack_ftp"</pre></description>
<rationale xml:lang="en-US">These settings configure iptables to allow connections to an FTP server. The first line allows initial connections
to the FTP server port.
FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
and server negotiate an arbitrary port to be used for data transfer. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ip_conntrack_ftp</xhtml:code> module is used by
iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
FTP server to operate on a machine which is running a firewall.</rationale>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_snmp">
<title xml:lang="en-US">SNMP Server</title>
<description xml:lang="en-US">The Simple Network Management Protocol allows
administrators to monitor the state of network devices, including
computers. Older versions of SNMP were well-known for weak
security, such as plaintext transmission of the community string
(used for authentication) and usage of easily-guessable
choices for the community string.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_snmp_service">
<title xml:lang="en-US">Disable SNMP Server if Possible</title>
<description xml:lang="en-US">The system includes an SNMP daemon that allows for its remote
monitoring, though it not installed by default. If it was installed and
activated but is not needed, the software should be disabled and removed.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_disable_snmpd" selected="false" severity="low">
<title xml:lang="en-US">Disable snmpd Service</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable snmpd.service</xhtml:pre>
</description>
<rationale xml:lang="en-US">
Running SNMP software provides a network-based avenue of attack, and
should be disabled if not needed.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>snmpd</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>snmpd</xhtml:code> --list
<xhtml:code>snmpd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service snmpd status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_package_net-snmp_removed" selected="false" severity="low">
<title xml:lang="en-US">Uninstall net-snmp Package</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package provides the snmpd service.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package can be removed with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase net-snmp</xhtml:pre>
</description>
<rationale xml:lang="en-US">
If there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation.
</rationale>
<fix system="urn:xccdf:fix:script:sh">if rpm -qa | grep -q net-snmp; then
yum -y remove net-snmp
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:165" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the package is installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q net-snmp</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_snmp_configure_server">
<title xml:lang="en-US">Configure SNMP Server if Necessary</title>
<description xml:lang="en-US">If it is necessary to run the snmpd agent on the system, some best
practices should be followed to minimize the security risk from the
installation. The multiple security models implemented by SNMP cannot be fully
covered here so only the following general configuration advice can be offered:
<ul xmlns="http://www.w3.org/1999/xhtml"><li>use only SNMP version 3 security models and enable the use of authentication and encryption</li><li>write access to the MIB (Management Information Base) should be allowed only if necessary</li><li>all access to the MIB should be restricted following a principle of least privilege</li><li>network access should be limited to the maximum extent possible including restricting to expected network
addresses both in the configuration files and in the system firewall rules</li><li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
stations</li><li>ensure that permissions on the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd.conf</xhtml:code> configuration file (by default, in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp</xhtml:code>) are 640 or more restrictive</li><li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
</description>
<Rule id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" selected="false" severity="medium">
<title xml:lang="en-US">Configure SNMP Service to Use Only SNMPv3 or Newer </title>
<description xml:lang="en-US">
Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</xhtml:code>, removing any references to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rocommunity</xhtml:code>, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rwcommunity</xhtml:code>, or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">com2sec</xhtml:code>.
Upon doing that, restart the SNMP service:
<pre xmlns="http://www.w3.org/1999/xhtml"># service snmpd restart</pre>
</description>
<rationale xml:lang="en-US">
Earlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:164" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure only SNMPv3 or newer is used, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
There should be no output.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" selected="false" severity="medium">
<title xml:lang="en-US">Ensure Default Password Is Not Used</title>
<description xml:lang="en-US">
Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</xhtml:code>, remove default community string <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">public</xhtml:code>.
Upon doing that, restart the SNMP service:
<pre xmlns="http://www.w3.org/1999/xhtml"># service snmpd restart</pre>
</description>
<rationale xml:lang="en-US">
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:212" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the default password is not set, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep -v "^#" /etc/snmp/snmpd.conf| grep public</pre>
There should be no output.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_and_rpc">
<title xml:lang="en-US">NFS and RPC</title>
<description xml:lang="en-US">The Network File System is a popular distributed filesystem for
the Unix environment, and is very widely deployed. This section discusses the
circumstances under which it is possible to disable NFS and its dependencies,
and then details steps which should be taken to secure
NFS's configuration. This section is relevant to machines operating as NFS
clients, as well as to those operating as NFS servers.
</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_nfs">
<title xml:lang="en-US">Disable All NFS Services if Possible</title>
<description xml:lang="en-US">If there is not a reason for the system to operate as either an
NFS client or an NFS server, follow all instructions in this section to disable
subsystems required by NFS.
</description>
<warning xml:lang="en-US" override="false" category="general">The steps in this section will prevent a machine
from operating as either an NFS client or an NFS server. Only perform these
steps on machines which do not need NFS at all.</warning>
<Group id="xccdf_org.ssgproject.content_group_disabling_nfs_services">
<title xml:lang="en-US">Disable Services Used Only by NFS</title>
<description xml:lang="en-US">If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.</description>
<Rule id="xccdf_org.ssgproject.content_rule_service_nfslock_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Network File System Lock Service (nfslock)</title>
<description xml:lang="en-US">The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local machine is not configured to mount NFS filesystems then
this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfslock</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable nfslock.service</xhtml:pre>
</description>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Secure RPC Client Service (rpcgssd)</title>
<description xml:lang="en-US">
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcgssd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcgssd.service</xhtml:pre>
</description>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable RPC ID Mapping Service (rpcidmapd)</title>
<description xml:lang="en-US">The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcidmapd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcidmapd.service</xhtml:pre>
</description>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_disabling_netfs">
<title xml:lang="en-US">Disable netfs if Possible</title>
<description xml:lang="en-US">To determine if any network filesystems handled by netfs are
currently mounted on the system execute the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre>
If the command did not return any output then disable netfs.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_service_netfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Network File Systems (netfs)</title>
<description xml:lang="en-US">The netfs script manages the boot-time mounting of several types
of networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the
system somewhat against accidental or malicious changes to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>
and against flaws in the netfs script itself.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">netfs</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable netfs.service</xhtml:pre>
</description>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines">
<title xml:lang="en-US">Configure All Machines which Use NFS</title>
<description xml:lang="en-US">The steps in this section are appropriate for all machines which
run NFS, whether they operate as clients or as servers.</description>
<Group id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both">
<title xml:lang="en-US">Make Each Machine a Client or a Server, not Both</title>
<description xml:lang="en-US">If NFS must be used, it should be deployed in the simplest
configuration possible to avoid maintainability problems which may lead to
unnecessary security exposure. Due to the reliability and security problems
caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines
which act as NFS servers to also mount filesystems via NFS. At the least,
crossed mounts (the situation in which each of two servers mounts a filesystem
from the other) should never be used.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports">
<title xml:lang="en-US">Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)</title>
<description xml:lang="en-US">Firewalling should be done at each host and at the border
firewalls to protect the NFS daemons from remote access, since NFS servers
should never be accessible from outside the organization. However, by default
for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
dynamically at service startup time. Dynamic ports cannot be protected by port
filtering firewalls such as iptables.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Therefore, restrict each service to always use a given port, so that
firewalling can be done effectively. Note that, because of the way RPC is
implemented, it is not possible to disable the RPC Bind service even if ports
are assigned statically to all RPC services.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
In NFSv4, the mounting and locking protocols have been incorporated into the
protocol, and the server listens on the the well-known TCP port 2049. As such,
NFSv4 does not need to interact with the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcbind, lockd, and rpc.statd</xhtml:code>
daemons, which can and should be disabled in a pure NFSv4 environment. The
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpc.mountd</xhtml:code> daemon is still required on the NFS server to setup
exports, but is not involved in any over-the-wire operations.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" selected="false" severity="low">
<title xml:lang="en-US">Configure lockd to use static TCP port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd</xhtml:code> daemon to use a static TCP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">LOCKD_TCPPORT=lockd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd-port</xhtml:code> is a port which is not used by any other service on
your network.
</description>
<rationale xml:lang="en-US">
Restrict service to always use a given port, so that firewalling can be done
effectively.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" selected="false" severity="low">
<title xml:lang="en-US">Configure lockd to use static UDP port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd</xhtml:code> daemon to use a static UDP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">LOCKD_UDPPORT=lockd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd-port</xhtml:code> is a port which is not used by any other service on
your network.
</description>
<rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
to be done more effectively.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" selected="false" severity="low">
<title xml:lang="en-US">Configure statd to use static port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">statd</xhtml:code> daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">STATD_PORT=statd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">statd-port</xhtml:code> is a port which is not used by any other service on your network.
</description>
<rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
to be done more effectively.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" selected="false" severity="low">
<title xml:lang="en-US">Configure mountd to use static port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">mountd</xhtml:code> daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">MOUNTD_PORT=statd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">mountd-port</xhtml:code> is a port which is not used by any other service on your network.
</description>
<rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
to be done more effectively.
</rationale>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configuring_clients">
<title xml:lang="en-US">Configure NFS Clients</title>
<description xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS clients.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_nfsd">
<title xml:lang="en-US">Disable NFS Server Daemons</title>
<description xml:lang="en-US">
There is no need to run the NFS server daemons <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> and
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> except on a small number of properly secured machines
designated as NFS servers. Ensure that these daemons are turned off on
clients.</description>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_no_anonymous" selected="false" severity="low">
<title xml:lang="en-US">Specify UID and GID for Anonymous NFS Connections</title>
<description xml:lang="en-US">To specify the UID and GID for remote root users, edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> file and add the following for each export:
<pre xmlns="http://www.w3.org/1999/xhtml">
anonuid=-1
anongid=-1
</pre>
</description>
<rationale xml:lang="en-US">Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_nfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Network File System (nfs)</title>
<description xml:lang="en-US">The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local machine. If the local machine
is not designated as a NFS server then this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable nfs.service</xhtml:pre>
</description>
<rationale xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
It is prudent to ensure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service is disabled in system boot, as well as
not currently running. First, run the following to verify the service is stopped:
<pre xmlns="http://www.w3.org/1999/xhtml">$ service nfs status</pre>
If the service is stopped or disabled, it will return the following:
<pre xmlns="http://www.w3.org/1999/xhtml">rpc.svcgssd is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped</pre>
To verify that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service is disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ chkconfig --list nfs</pre>
If properly configured, the output should look like:
<pre xmlns="http://www.w3.org/1999/xhtml">nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Secure RPC Server Service (rpcsvcgssd)</title>
<description xml:lang="en-US">The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcsvcgssd.service</xhtml:pre>
</description>
<rationale xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>rpcsvcgssd</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>rpcsvcgssd</xhtml:code> --list
<xhtml:code>rpcsvcgssd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service rpcsvcgssd status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems">
<title xml:lang="en-US">Mount Remote Filesystems with Restrictive Options</title>
<description xml:lang="en-US">Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>. For each filesystem whose type
(column 3) is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs4</xhtml:code>, add the text
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">,nodev,nosuid</xhtml:code> to the list of mount options in column 4. If
appropriate, also add <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">,noexec</xhtml:code>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
See the section titled "Restrict Partition Mount Options" for a description of
the effects of these options. In general, execution of files mounted via NFS
should be considered risky because of the possibility that an adversary could
intercept the request and substitute a malicious file. Allowing setuid files to
be executed from remote servers is particularly risky, both for this reason and
because it requires the clients to extend root-level trust to the NFS
server.</description>
<Rule id="xccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts" selected="false" severity="medium">
<title xml:lang="en-US">Mount Remote Filesystems with nodev</title>
<description xml:lang="en-US">
Add the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> option to the fourth column of
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code> for the line which controls mounting of
any NFS mounts.
</description>
<rationale xml:lang="en-US">Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the setting does not show" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> option is configured for all NFS mounts, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ mount | grep nfs</pre>
All NFS mounts should show the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> setting in parentheses. This is not applicable if NFS is
not implemented.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts" selected="false" severity="medium">
<title xml:lang="en-US">Mount Remote Filesystems with nosuid</title>
<description xml:lang="en-US">
Add the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> option to the fourth column of
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code> for the line which controls mounting of
any NFS mounts.
</description>
<rationale xml:lang="en-US">NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.</rationale>
<check system="ocil-transitional">
<check-export export-name="the setting does not show" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> option is configured for all NFS mounts, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ mount | grep nfs</pre>
All NFS mounts should show the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> setting in parentheses. This is not applicable if NFS is
not implemented.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configuring_servers">
<title xml:lang="en-US">Configure NFS Servers</title>
<description xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS servers.</description>
<Group id="xccdf_org.ssgproject.content_group_configure_exports_restrictively">
<title xml:lang="en-US">Configure the Exports File Restrictively</title>
<description xml:lang="en-US">Linux's NFS implementation uses the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> to control what filesystems
and directories may be accessed via NFS. (See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">exports(5)</xhtml:code> manpage for more information about the
format of this file.)
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The syntax of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">exports</xhtml:code> file is not necessarily checked fully on reload, and syntax errors
can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
the file.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The syntax of each line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> is:
<pre xmlns="http://www.w3.org/1999/xhtml">/DIR host1(opt1,opt2) host2(opt3)</pre>
where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/DIR</xhtml:code> is a directory or filesystem to export, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hostN</xhtml:code> is an IP address, netblock,
hostname, domain, or netgroup to which to export, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">optN</xhtml:code> is an option.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions">
<title xml:lang="en-US">Use Access Lists to Enforce Authorization Restrictions</title>
<description xml:lang="en-US">When configuring NFS exports, ensure that each export line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Authorized hosts can be specified in several different formats:
<ul xmlns="http://www.w3.org/1999/xhtml"><li>Name or alias that is recognized by the resolver</li><li>Fully qualified domain name</li><li>IP address</li><li>IP subnets in the format <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">address/netmask</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">address/CIDR</xhtml:code></li></ul>
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_export_filesystems_read_only">
<title xml:lang="en-US">Export Filesystems Read-Only if Possible</title>
<description xml:lang="en-US">If a filesystem is being exported so that users can view the files in a convenient
fashion, but there is no need for users to edit those files, exporting the filesystem read-only
removes an attack vector against the server. The default filesystem export mode is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ro</xhtml:code>,
so do not specify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rw</xhtml:code> without a good reason.
</description>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" selected="false" severity="low">
<title xml:lang="en-US">Use Root-Squashing on All Exports</title>
<description xml:lang="en-US">If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Ensure that no line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains the option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">no_root_squash</xhtml:code>.
</description>
<rationale xml:lang="en-US">If the NFS server allows root access to local file systems from remote hosts, this
access could be used to compromise the system.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" selected="false" severity="low">
<title xml:lang="en-US">Restrict NFS Clients to Privileged Ports</title>
<description xml:lang="en-US">By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To ensure that the default has not been changed, ensure no line in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains the option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure</xhtml:code>.
</description>
<rationale xml:lang="en-US">Allowing client requests to be made from ports higher than 1024 could allow a unprivileged
user to initiate an NFS connection. If the unprivileged user account has been compromised, an
attacker could gain access to data on the NFS server.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" selected="false" severity="medium">
<title xml:lang="en-US">Ensure Insecure File Locking is Not Allowed</title>
<description xml:lang="en-US">By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure_locks</xhtml:code> option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure_locks</xhtml:code> option from the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code>.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</reference>
<rationale xml:lang="en-US">Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:210" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify insecure file locking has been disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep insecure_locks /etc/exports</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
</Group>
</Benchmark>
</ds:component>
<ds:component id="scap_org.open-scap_comp_output--ssg-fedora-cpe-oval.xml" timestamp="2015-03-17T12:23:34">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>python</oval:product_name>
<oval:product_version>2.6.6</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2011-09-21T13:44:00</oval:timestamp>
</generator>
<definitions><definition class="inventory" id="oval:ssg:def:100" version="1">
<metadata>
<title>Fedora release 19 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 19 (Schrödinger's Cat)</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 19 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:103" version="1">
<metadata>
<title>Fedora release 20 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 20 (Schrödinger's Cat)</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 20 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:104" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 6</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:105"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:ssg:tst:106"/>
</criteria>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:107" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 7</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:108"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:ssg:tst:109"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:ssg:tst:110"/>
</criteria>
</criteria>
</definition>
</definitions><tests><ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:101" version="1">
<ind:object object_ref="oval:ssg:obj:111"/>
<ind:state state_ref="oval:ssg:ste:112"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="oval:ssg:tst:102" version="1">
<linux:object object_ref="oval:ssg:obj:113"/>
<linux:state state_ref="oval:ssg:ste:114"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg:tst:105" version="1">
<linux:object object_ref="oval:ssg:obj:115"/>
<linux:state state_ref="oval:ssg:ste:116"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg:tst:106" version="1">
<linux:object object_ref="oval:ssg:obj:117"/>
<linux:state state_ref="oval:ssg:ste:118"/>
</linux:rpminfo_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:108" version="1">
<ind:object object_ref="oval:ssg:obj:119"/>
<ind:state state_ref="oval:ssg:ste:120"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg:tst:109" version="1">
<linux:object object_ref="oval:ssg:obj:121"/>
<linux:state state_ref="oval:ssg:ste:122"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg:tst:110" version="1">
<linux:object object_ref="oval:ssg:obj:123"/>
<linux:state state_ref="oval:ssg:ste:124"/>
</linux:rpminfo_test>
</tests><objects><ind:family_object id="oval:ssg:obj:111" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:113" version="1">
<linux:name>fedora-release</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:115" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:117" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:family_object id="oval:ssg:obj:119" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:121" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:123" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
</objects><states><ind:family_state id="oval:ssg:ste:112" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:114" version="1">
<linux:version operation="pattern match">^19$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:116" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:118" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<ind:family_state id="oval:ssg:ste:120" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:122" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:124" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
</states></oval_definitions>
</ds:component>
<ds:component id="scap_org.open-scap_comp_output--ssg-fedora-cpe-dictionary.xml" timestamp="2015-03-17T12:23:34">
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
<cpe-item name="cpe:/o:fedoraproject:fedora:19">
<title xml:lang="en-us">Fedora release 19 (Schrödinger's Cat)</title>
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml">oval:ssg:def:100</check>
</cpe-item>
</cpe-list>
</ds:component>
<ds:component id="scap_org.open-scap_comp_output--ssg-fedora-oval.xml" timestamp="2015-03-17T12:23:34"><oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>python</oval:product_name>
<oval:product_version>2.6.6</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2011-09-21T13:44:00</oval:timestamp>
</generator>
<definitions>
<definition class="compliance" id="oval:ssg:def:125" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Multiple NTP Servers for time synchronization should be
specified</description>
<reference source="galford" ref_id="20141107" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_multiple_servers" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:126"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:127" version="1">
<metadata>
<title>No nullok Option in /etc/pam.d/system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_empty_passwords" source="ssg"/></metadata>
<criteria>
<criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="oval:ssg:tst:128"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:129" version="1">
<metadata>
<title>Set Password minclass Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minclass should meet the minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minclass" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for minclass are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:131"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:100" version="1">
<metadata>
<title>Fedora release 19 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 19 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora19" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 19 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:132" version="1">
<metadata>
<title>Package openssh-server Removed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package openssh-server should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_openssh-server_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package openssh-server is removed" test_ref="oval:ssg:tst:133"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:134" version="1">
<metadata>
<title>Package dconf Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package dconf should be installed.</description>
<reference source="galford" ref_id="20140424" ref_url="test_attestation"/>
<reference ref_id="package_dconf_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package dconf is installed" test_ref="oval:ssg:tst:135"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:136" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The maximum password age policy should meet minimum requirements.</description>
<reference source="JL" ref_id="RHEL6_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150130" ref_url="test_attestation"/>
<reference ref_id="accounts_maximum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:137"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:138" version="1">
<metadata>
<title>Verify that System Executables Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
/usr/local/sbin, and objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:139"/>
<criterion test_ref="oval:ssg:tst:140"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:141" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH idle timeout interval should be set to an
appropriate value.</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140224" ref_url="test_attestation" /> -->
<reference ref_id="sshd_set_idle_timeout" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:143"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:144" version="1">
<metadata>
<title>Enable GNOME3 Login Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GNOME3 Login warning banner.</description>
<reference source="galford" ref_id="20140823" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_banner_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Enable GUI banner" test_ref="oval:ssg:tst:146"/>
<criterion comment="Prevent user from disabling banner" test_ref="oval:ssg:tst:147"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:148" version="1">
<metadata>
<title>Verify that Shared Library Files Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:149"/>
<criterion test_ref="oval:ssg:tst:150"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:151" version="2">
<metadata>
<title>Disable Prelinking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Fedora 20</platform>
</affected>
<description>The prelinking feature can interfere with the operation of
checksum integrity tools (e.g. AIDE), mitigates the protection provided
by ASLR, and requires additional CPU cycles by software upgrades.
</description>
<reference source="JL" ref_id="20140313" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140313" ref_url="test_attestation" /> -->
<reference ref_id="disable_prelink" source="ssg"/></metadata>
<criteria>
<criterion comment="Ensure prelinking is disabled" test_ref="oval:ssg:tst:152"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:153" version="2">
<metadata>
<title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The password hashing algorithm should be set correctly in /etc/login.defs.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="set_password_hashing_algorithm_logindefs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:154"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:155" version="1">
<metadata>
<title>Proper Permissions User Home Directories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions should be set correctly for the home directories for all user accounts.</description>
<reference source="JL" ref_id="RHEL6_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="Fedora20_20141106" ref_url="test_attestation"/>
<reference ref_id="file_permissions_home_dirs" source="ssg"/></metadata>
<criteria>
<criterion comment="home directories" test_ref="oval:ssg:tst:156" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:157" version="3">
<metadata>
<title>Lock out account after failed login attempts</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The number of allowed failed logins should be set correctly.</description>
<reference source="JL" ref_id="RHEL6_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150122" ref_url="test_attestation"/>
<reference ref_id="accounts_passwords_pam_faillock_deny" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:158" comment="pam_faillock.so preauth silent set in system-auth"/>
<criterion test_ref="oval:ssg:tst:159" comment="pam_faillock.so authfail deny value set in system-auth"/>
<criterion test_ref="oval:ssg:tst:160" comment="pam_faillock.so set in account phase of system-auth"/>
<criterion test_ref="oval:ssg:tst:161" comment="pam_faillock.so preauth silent set in password-auth"/>
<criterion test_ref="oval:ssg:tst:162" comment="pam_faillock.so authfail deny value set in password-auth"/>
<criterion test_ref="oval:ssg:tst:163" comment="pam_faillock.so set in account phase of password-auth"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:164" version="2">
<metadata>
<title>SNMP use newer protocols</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP version 1 and 2c must not be enabled.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_use_newer_protocol" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP protocols" test_ref="oval:ssg:tst:166"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:167" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>To trace malicious activity facilitated by the FTP
service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log format.
</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_log_transactions" source="ssg"/></metadata>
<criteria comment="FTP is not being used or the conditions are met" operator="OR">
<extend_definition comment="vsftp package is not installed" definition_ref="oval:ssg:def:168" negate="true"/>
<criteria comment="FTP configuration conditions are not set or are met" operator="AND">
<criterion comment="log ftp transactions enable" test_ref="oval:ssg:tst:169"/>
<criterion comment="log ftp transactions format" test_ref="oval:ssg:tst:170"/>
<criterion comment="log ftp transactions protocol" test_ref="oval:ssg:tst:171"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:172" version="1">
<metadata>
<title>Implement Blank Screensaver</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The GNOME3 screensaver should be blank.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_mode_blank" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable blank screensaver and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver is blank" test_ref="oval:ssg:tst:173"/>
<criterion comment="screensaver prevent user from changing mode" test_ref="oval:ssg:tst:174"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:175" version="2">
<metadata>
<title>Kernel Runtime Parameter "kernel.exec-shield" Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.</description>
<reference source="galford" ref_id="201410" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_exec_shield" source="ssg"/></metadata>
<criteria operator="OR">
<criteria operator="AND" comment="system is RHEL6">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="32-bit system" definition_ref="oval:ssg:def:178"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="64-bit system" definition_ref="oval:ssg:def:179"/>
<criterion comment="NX is supported and is not disabled" test_ref="oval:ssg:tst:180"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:181" version="1">
<metadata>
<title>Package ntp Installed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package ntp should be installed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_ntp_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package ntp is installed" test_ref="oval:ssg:tst:182"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:165" version="1">
<metadata>
<title>Package net-snmp Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package net-snmp should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_net-snmp_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package net-snmp is removed" test_ref="oval:ssg:tst:183"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:179" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86_64 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86_64 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86_64" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg:tst:184"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:185" version="1">
<metadata>
<title>Set Password retry Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password retry should meet minimum
requirements</description>
<reference source="swells" ref_id="20140925" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_retry" source="ssg"/></metadata>
<criteria operator="OR" comment="Conditions for retry are satisfied">
<criteria operator="AND" comment="system is RHEL6 with pam_cracklib configured">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="rhel6 pam_cracklib" test_ref="oval:ssg:tst:186"/>
</criteria>
<criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">
<extend_definition comment="RHEL7 installed" definition_ref="oval:ssg:def:107"/>
<criterion comment="rhel7 pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
<criteria operator="AND" comment="system is Fedora with pam_pwquality configured">
<extend_definition comment="Fedora installed" definition_ref="oval:ssg:def:100"/>
<criterion comment="Fedora pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:188" version="1">
<metadata>
<title>Package Antivirus Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Antivirus software should be installed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="install_antivirus" source="ssg"/></metadata>
<criteria comment="Antivirus is not being used or conditions are met">
<criterion comment="Linuxshield AntiVirus package is installed" test_ref="oval:ssg:tst:189"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:190" version="1">
<metadata>
<title>Set Password minlen Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minlen should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minlen" source="ssg"/></metadata>
<criteria operator="AND" comment="system uses pam_pwquality configured">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pam_pwquality" test_ref="oval:ssg:tst:191"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:103" version="1">
<metadata>
<title>Fedora release 20 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 20 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora20" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 20 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:192" version="1">
<metadata>
<title>File grub.cfg Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_permissions_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:193"/>
<criterion test_ref="oval:ssg:tst:194"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:195" version="1">
<metadata>
<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Ensure all yum repositories utilize signature checking.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7 <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_never_disabled" source="ssg"/></metadata>
<criteria comment="ensure all yum repositories utilize signiature checking" operator="AND">
<criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files" test_ref="oval:ssg:tst:196"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:197" version="1">
<metadata>
<title>Enable GUI Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GUI warning banner.</description>
<reference source="galford" ref_id="20140902" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_login_banner_text" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Prevent user from changing banner" test_ref="oval:ssg:tst:198"/>
<criterion comment="Login banner is correctly set" test_ref="oval:ssg:tst:199"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:200" version="1">
<metadata>
<title>Verify No netrc Files Exist</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="no_netrc_files" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:201" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:178" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86 architecture" test_ref="oval:ssg:tst:202"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:203" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>A remote NTP Server for time synchronization should be
specified (and dependencies are met)</description>
<reference source="galford" ref_id="20141111" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_remote_server" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:204"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:205" version="1">
<metadata>
<title>Set ClientAliveCountMax for User Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_set_keepalive" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:206"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:207" version="1">
<metadata>
<title>System Accounts Do Not Run a Shell</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The root account is the only system account that should have a login shell.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_shelllogin_for_systemaccounts" source="ssg"/></metadata>
<criteria>
<criterion comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" test_ref="oval:ssg:tst:208"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:168" version="1">
<metadata>
<title>Package vsftpd Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package vsftpd should be installed.</description>
<reference source="JL" ref_id="20140522" ref_url="test_attestation"/>
<reference ref_id="package_vsftpd_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package vsftpd is installed" test_ref="oval:ssg:tst:209"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:210" version="1">
<metadata>
<title>Ensure insecure_locks is disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Allowing insecure file locking could allow for sensitive
data to be viewed or edited by an unauthorized user.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="no_insecure_locks_exports" source="ssg"/></metadata>
<criteria>
<criterion comment="Check for insecure NFS locks in /etc/exports" test_ref="oval:ssg:tst:211"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:212" version="2">
<metadata>
<title>SNMP default communities disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP default communities must be removed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_not_default_password" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP communities" test_ref="oval:ssg:tst:213"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:214" version="2">
<metadata>
<title>Set Password ucredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ucredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ucredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ucredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:215"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:130" version="1">
<metadata>
<title>Check pam_pwquality Existence in system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Check that pam_pwquality.so exists in system-auth</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_pwquality" source="ssg"/></metadata>
<criteria>
<criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg:tst:216"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:217" version="1">
<metadata>
<title>Disable GNOME3 Automounting</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_automount" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable automount in GNOME3" test_ref="oval:ssg:tst:218"/>
<criterion comment="Disable automount-open in GNOME3" test_ref="oval:ssg:tst:219"/>
<criterion comment="Disable autorun in GNOME3" test_ref="oval:ssg:tst:220"/>
<criterion comment="Prevent user from changing automount setting" test_ref="oval:ssg:tst:221"/>
<criterion comment="Prevent user from changing automount-open setting" test_ref="oval:ssg:tst:222"/>
<criterion comment="Prevent user from changing autorun setting" test_ref="oval:ssg:tst:223"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:142" version="1">
<metadata>
<title>Service sshd Disabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The sshd service should be disabled.
</description>
<reference ref_id="service_sshd_disabled" source="ssg"/></metadata>
<criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
<extend_definition comment="openssh-server removed" definition_ref="oval:ssg:def:132"/>
<criterion comment="sshd disabled in multi-user.target" test_ref="oval:ssg:tst:224"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:225" version="1">
<metadata>
<title>Limit Password Reuse</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The passwords to remember should be set correctly.</description>
<reference source="SDW" ref_id="20131025" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_unix_remember" source="ssg"/></metadata>
<criteria>
<criterion comment="remember parameter is set to 0" test_ref="oval:ssg:tst:226"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:227" version="1">
<metadata>
<title>Disable Empty Passwords</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Remote connections from accounts with empty passwords should
be disabled (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_empty_passwords" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitEmptyPasswords in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:228"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:104" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 6</description>
<reference ref_id="installed_OS_is_rhel6" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:105"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:ssg:tst:106"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:229" version="2">
<metadata>
<title>Set Password ocredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ocredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ocredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ocredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:230"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:231" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password expiration warning age should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_warn_age_login_defs" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:232"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:233" version="1">
<metadata>
<title>Verify that System Executables Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, and /usr/local/sbin, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:234"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:235" version="1">
<metadata>
<title>Set Password maxrepeat Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password maxrepeat should meet minimum
requirements using pam_pwquality</description>
<reference source="galford" ref_id="20141006" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_maxrepeat" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for maxrepeat are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:236"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:237" version="1">
<metadata>
<title>File grub.cfg Owned By root User</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_user_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:238"/>
<criterion test_ref="oval:ssg:tst:239"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:240" version="1">
<metadata>
<title>Verify that Shared Library Files Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:241"/>
<criterion test_ref="oval:ssg:tst:242"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:243" version="1">
<metadata>
<title>Disable root Login via SSH</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Root login via SSH should be disabled (and dependencies are
met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_root_login" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:244"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:245" version="1">
<metadata>
<title>Restrict Serial Port Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to serial port interfaces helps
ensure accountability for actions taken on the system using the root
account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="restrict_serial_port_logins" source="ssg"/></metadata>
<criteria>
<criterion comment="serial ports /etc/securetty" test_ref="oval:ssg:tst:246" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:247" version="2">
<metadata>
<title>Set Password difok Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password difok should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_difok" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for difok are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:248"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:249" version="1">
<metadata>
<title>Ensure Yum gpgcheck Globally Activated</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7: <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_globally_activated" source="ssg"/></metadata>
<criteria>
<criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="oval:ssg:tst:250"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:251" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minimum length should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_minlen_login_defs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:252"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:253" version="2">
<metadata>
<title>System Login Banner Compliance</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The system login banner text should be set correctly.</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="banner_etc_issue" source="ssg"/></metadata>
<criteria>
<criterion comment="/etc/issue is set appropriately" test_ref="oval:ssg:tst:254"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:255" version="1">
<metadata>
<title>Disable All GNOME3 Thumbnailers</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, uses a
number of different thumbnailer programs to generate thumbnails for any
new or modified content in an opened folder. Disable the execution of
these thumbnail applications within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_thumbnailers" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable Gnome3 Thumbnailers and prevent user from enabling" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable thumbnailers in GNOME3" test_ref="oval:ssg:tst:256"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:257"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:145" version="1">
<metadata>
<title>Implement Local DB for DConf User Profile</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The DConf User profile should have the local DB configured.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="enable_dconf_user_profile" source="ssg"/></metadata>
<criteria>
<criterion comment="dconf user profile exists" test_ref="oval:ssg:tst:258"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:259" version="2">
<metadata>
<title>Kernel Runtime Parameter IPv6 Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Disables IPv6 for all network interfaces.</description>
<reference source="galford" ref_id="20141015" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_ipv6_disable" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Disable IPv6 runtime check" test_ref="oval:ssg:tst:260"/>
<criterion comment="Disable IPv6 in sysctl.d conf file" test_ref="oval:ssg:tst:261"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:262" version="2">
<metadata>
<title>Set Password lcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password lcredit should meet minimum requirements</description>
<reference source="swells" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_lcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for lcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:263"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:264" version="1">
<metadata>
<title>Set Boot Loader Password</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub2 boot loader should have password protection enabled.</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="bootloader_password" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="make sure a password is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:265"/>
<criterion comment="make sure a superuser is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:266"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:267" version="1">
<metadata>
<title>All Password Hashes Shadowed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>All password hashes should be shadowed.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="accounts_password_all_shadowed" source="ssg"/></metadata>
<criteria>
<criterion comment="password hashes are shadowed" test_ref="oval:ssg:tst:268"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:269" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Idle Activation</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen saver should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_activation_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle activation has been configured" test_ref="oval:ssg:tst:270"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:271"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:272" version="1">
<metadata>
<title>Service ntpd Enabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The ntpd service should be enabled.
</description>
<reference ref_id="service_ntpd_enabled" source="ssg"/></metadata>
<criteria comment="package ntp installed and service ntpd is configured to start" operator="AND">
<extend_definition comment="ntp installed" definition_ref="oval:ssg:def:181"/>
<criterion comment="ntpd multi-user.target" test_ref="oval:ssg:tst:273"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:274" version="2">
<metadata>
<title>Write permissions are disabled for group and other in all
directories in Root's Path</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Check each directory in root's path and make use it does
not grant write permission to group and other</description>
<reference source="JL" ref_id="RHEL6_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20141119" ref_url="test_attestation"/>
<reference ref_id="accounts_root_path_dirs_no_write" source="ssg"/></metadata>
<criteria comment="Check that write permission to group and other in root's path is denied">
<criterion comment="Check for write permission to group and other in root's path" test_ref="oval:ssg:tst:275"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:107" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 7</description>
<reference ref_id="installed_OS_is_rhel7" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:108"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:ssg:tst:109"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:ssg:tst:110"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:276" version="1">
<metadata>
<title>UID 0 Belongs Only To Root</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Only the root account should be assigned a user id of 0.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140303" ref_url="test_attestation" /> -->
<reference ref_id="accounts_no_uid_except_zero" source="ssg"/></metadata>
<criteria>
<criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="oval:ssg:tst:277"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:278" version="1">
<metadata>
<title>File grub.cfg Owned By root Group </title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_group_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:279"/>
<criterion test_ref="oval:ssg:tst:280"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:281" version="1">
<metadata>
<title>Restrict Virtual Console Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system using the
root account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="securetty_root_login_console_only" source="ssg"/></metadata>
<criteria>
<criterion comment="virtual consoles /etc/securetty" test_ref="oval:ssg:tst:282"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:283" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The minimum password age policy should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_minimum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:284"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:285" version="1">
<metadata>
<title>Set Password dcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password dcredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_dcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for dcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:286"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:287" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Lock After Idle Period</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen lock should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_lock_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver lock is enabled" test_ref="oval:ssg:tst:288"/>
<criterion comment="screensaver lock prevent user from changing" test_ref="oval:ssg:tst:289"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:292" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>This setting will cause the system greeting banner to be
used for FTP connections as well.</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_present_banner" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="vsftpd package is not installed" negate="true" definition_ref="oval:ssg:def:168"/>
<criterion comment="Banner for FTP Users" test_ref="oval:ssg:tst:293"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:294" version="1">
<metadata>
<title>Configure the GNOME3 GUI Screen locking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The allowed period of inactivity before the screensaver is activated.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_delay" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle delay has been configured" test_ref="oval:ssg:tst:295"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:296"/>
<criterion comment="idle delay is set correctly" test_ref="oval:ssg:tst:297"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:298" version="1">
<metadata>
<title>Require Authentication for Single-User Mode</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The requirement for a password to boot into single-user mode
should be configured correctly.</description>
<reference source="galford" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="require_singleuser_auth" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Conditions are satisfied" test_ref="oval:ssg:tst:299"/>
<criterion test_ref="oval:ssg:tst:300"/>
<criterion test_ref="oval:ssg:tst:301" negate="true"/>
<criterion test_ref="oval:ssg:tst:302" negate="true"/>
</criteria>
</definition>
</definitions>
<tests>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:126" version="1">
<ind:object object_ref="oval:ssg:obj:303"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="oval:ssg:tst:128" version="1">
<ind:object object_ref="oval:ssg:obj:304"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:131" version="1">
<ind:object object_ref="oval:ssg:obj:305"/>
<ind:state state_ref="oval:ssg:ste:306"/>
</ind:textfilecontent54_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:101" version="1">
<ind:object object_ref="oval:ssg:obj:111"/>
<ind:state state_ref="oval:ssg:ste:112"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="oval:ssg:tst:102" version="1">
<linux:object object_ref="oval:ssg:obj:113"/>
<linux:state state_ref="oval:ssg:ste:114"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:133" version="1" comment="package openssh-server is removed">
<linux:object object_ref="oval:ssg:obj:307"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:135" version="1" comment="package dconf is installed">
<linux:object object_ref="oval:ssg:obj:308"/>
</linux:rpminfo_test>
<ind:variable_test id="oval:ssg:tst:137" check="all" comment="The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:309"/>
<ind:state state_ref="oval:ssg:ste:310"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary directories uid root" id="oval:ssg:tst:139" version="1">
<unix:object object_ref="oval:ssg:obj:311"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files uid root" id="oval:ssg:tst:140" version="1">
<unix:object object_ref="oval:ssg:obj:312"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="oval:ssg:tst:143" version="1">
<ind:object object_ref="oval:ssg:obj:313"/>
<ind:state state_ref="oval:ssg:ste:314"/>
<ind:state state_ref="oval:ssg:ste:315"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner is enabled" id="oval:ssg:tst:146" version="1">
<ind:object object_ref="oval:ssg:obj:316"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:147" version="1">
<ind:object object_ref="oval:ssg:obj:317"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="oval:ssg:tst:149" version="1">
<unix:object object_ref="oval:ssg:obj:318"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="oval:ssg:tst:150" version="1">
<unix:object object_ref="oval:ssg:obj:319"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests whether prelinking is disabled" id="oval:ssg:tst:152" version="1">
<ind:object object_ref="oval:ssg:obj:320"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:154" check="all" comment="The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:321"/>
<ind:state state_ref="oval:ssg:ste:322"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="oval:ssg:tst:156" version="1">
<unix:object object_ref="oval:ssg:obj:323"/>
<unix:state state_ref="oval:ssg:ste:324"/>
</unix:file_test>
<ind:textfilecontent54_test id="oval:ssg:tst:158" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:325"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:159" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:327"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:160" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:328"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:161" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:329"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:162" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:330"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:163" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:331"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:166" version="1">
<ind:object object_ref="oval:ssg:obj:332"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:169" version="1">
<ind:object object_ref="oval:ssg:obj:333"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:170" version="1">
<ind:object object_ref="oval:ssg:obj:334"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:171" version="1">
<ind:object object_ref="oval:ssg:obj:335"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver mode is blank" id="oval:ssg:tst:173" version="1">
<ind:object object_ref="oval:ssg:obj:336"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="blank screensaver cannot be changed by user" id="oval:ssg:tst:174" version="1">
<ind:object object_ref="oval:ssg:obj:337"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter kernel.exec-shield set to 1" id="oval:ssg:tst:176" version="1">
<unix:object object_ref="oval:ssg:obj:338"/>
<unix:state state_ref="oval:ssg:ste:339"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel.exec-shield static configuration" id="oval:ssg:tst:177" version="1">
<ind:object object_ref="oval:ssg:obj:340"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NX is disabled" id="oval:ssg:tst:180" version="1">
<ind:object object_ref="oval:ssg:obj:341"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:182" version="1" comment="package ntp is installed">
<linux:object object_ref="oval:ssg:obj:342"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:183" version="1" comment="package net-snmp is removed">
<linux:object object_ref="oval:ssg:obj:343"/>
</linux:rpminfo_test>
<unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg:tst:184" version="1">
<unix:object object_ref="oval:ssg:obj:344"/>
<unix:state state_ref="oval:ssg:ste:345"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:186" version="1">
<ind:object object_ref="oval:ssg:obj:346"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:187" version="1">
<ind:object object_ref="oval:ssg:obj:348"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:189" version="1" comment="AntiVirus package is installed">
<linux:object object_ref="oval:ssg:obj:349"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:191" version="1">
<ind:object object_ref="oval:ssg:obj:350"/>
<ind:state state_ref="oval:ssg:ste:351"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg:tst:193" version="1">
<unix:object object_ref="oval:ssg:obj:352"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:194" version="1">
<unix:object object_ref="oval:ssg:obj:354"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of gpgcheck=0 in /etc/yum.repos.d/ files" id="oval:ssg:tst:196" version="1">
<ind:object object_ref="oval:ssg:obj:355"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:198" version="1">
<ind:object object_ref="oval:ssg:obj:356"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="login banner text is correctly set" id="oval:ssg:tst:199" version="1">
<ind:object object_ref="oval:ssg:obj:357"/>
<ind:state state_ref="oval:ssg:ste:358"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="oval:ssg:tst:201" version="1">
<unix:object object_ref="oval:ssg:obj:359"/>
</unix:file_test>
<unix:uname_test check="all" comment="32 bit architecture" id="oval:ssg:tst:202" version="1">
<unix:object object_ref="oval:ssg:obj:360"/>
<unix:state state_ref="oval:ssg:ste:361"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:204" version="1">
<ind:object object_ref="oval:ssg:obj:362"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:206" version="1">
<ind:object object_ref="oval:ssg:obj:363"/>
<ind:state state_ref="oval:ssg:ste:364"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" id="oval:ssg:tst:208" version="1">
<ind:object object_ref="oval:ssg:obj:365"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:209" version="1" comment="package vsftpd is installed">
<linux:object object_ref="oval:ssg:obj:366"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the insecure locks in /etc/exports" id="oval:ssg:tst:211" version="1">
<ind:object object_ref="oval:ssg:obj:367"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:213" version="1">
<ind:object object_ref="oval:ssg:obj:368"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:215" version="1">
<ind:object object_ref="oval:ssg:obj:369"/>
<ind:state state_ref="oval:ssg:ste:370"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:216" version="1">
<ind:object object_ref="oval:ssg:obj:371"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount in GNOME3" id="oval:ssg:tst:218" version="1">
<ind:object object_ref="oval:ssg:obj:372"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount setting" id="oval:ssg:tst:221" version="1">
<ind:object object_ref="oval:ssg:obj:373"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount-open in GNOME" id="oval:ssg:tst:219" version="1">
<ind:object object_ref="oval:ssg:obj:374"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount-open setting" id="oval:ssg:tst:222" version="1">
<ind:object object_ref="oval:ssg:obj:375"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable autorun in GNOME" id="oval:ssg:tst:220" version="1">
<ind:object object_ref="oval:ssg:obj:376"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing autorun setting" id="oval:ssg:tst:223" version="1">
<ind:object object_ref="oval:ssg:obj:377"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:224" version="1">
<unix:object object_ref="oval:ssg:obj:378"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="remember is set in /etc/pam.d/system-auth" id="oval:ssg:tst:226" version="1">
<ind:object object_ref="oval:ssg:obj:379"/>
<ind:state state_ref="oval:ssg:ste:380"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:228" version="1">
<ind:object object_ref="oval:ssg:obj:381"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg:tst:105" version="1">
<linux:object object_ref="oval:ssg:obj:115"/>
<linux:state state_ref="oval:ssg:ste:116"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg:tst:106" version="1">
<linux:object object_ref="oval:ssg:obj:117"/>
<linux:state state_ref="oval:ssg:ste:118"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:230" version="1">
<ind:object object_ref="oval:ssg:obj:382"/>
<ind:state state_ref="oval:ssg:ste:383"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:232" check="all" comment="The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:384"/>
<ind:state state_ref="oval:ssg:ste:385"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files go-w" id="oval:ssg:tst:234" version="1">
<unix:object object_ref="oval:ssg:obj:386"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:236" version="1">
<ind:object object_ref="oval:ssg:obj:387"/>
<ind:state state_ref="oval:ssg:ste:388"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:238" version="1">
<unix:object object_ref="oval:ssg:obj:389"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:239" version="1">
<unix:object object_ref="oval:ssg:obj:391"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="oval:ssg:tst:241" version="1">
<unix:object object_ref="oval:ssg:obj:392"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="oval:ssg:tst:242" version="1">
<unix:object object_ref="oval:ssg:obj:393"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:244" version="1">
<ind:object object_ref="oval:ssg:obj:394"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="serial ports /etc/securetty" id="oval:ssg:tst:246" version="1">
<ind:object object_ref="oval:ssg:obj:395"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:248" version="1">
<ind:object object_ref="oval:ssg:obj:396"/>
<ind:state state_ref="oval:ssg:ste:397"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="oval:ssg:tst:250" version="1">
<ind:object object_ref="oval:ssg:obj:398"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:252" check="all" comment="The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:399"/>
<ind:state state_ref="oval:ssg:ste:400"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="oval:ssg:tst:254" version="1">
<ind:object object_ref="oval:ssg:obj:401"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable thumbnailers in GNOME3" id="oval:ssg:tst:256" version="1">
<ind:object object_ref="oval:ssg:obj:402"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot enable thumbnailers " id="oval:ssg:tst:257" version="1">
<ind:object object_ref="oval:ssg:obj:403"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="dconf user profile exists" id="oval:ssg:tst:258" version="1">
<ind:object object_ref="oval:ssg:obj:404"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="Disable IPv6 runtime check" id="oval:ssg:tst:260" version="1">
<unix:object object_ref="oval:ssg:obj:405"/>
<unix:state state_ref="oval:ssg:ste:406"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable IPv6 in sysctl.d conf file" id="oval:ssg:tst:261" version="1">
<ind:object object_ref="oval:ssg:obj:407"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:263" version="1">
<ind:object object_ref="oval:ssg:obj:408"/>
<ind:state state_ref="oval:ssg:ste:409"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in /etc/grub2.cfg files. Superuser is not root, admin, or administrator" id="oval:ssg:tst:266" version="1">
<ind:object object_ref="oval:ssg:obj:410"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /etc/grub2.cfg" id="oval:ssg:tst:265" version="1">
<ind:object object_ref="oval:ssg:obj:411"/>
</ind:textfilecontent54_test>
<unix:password_test check="all" comment="password hashes are shadowed" id="oval:ssg:tst:268" version="1">
<unix:object object_ref="oval:ssg:obj:412"/>
<unix:state state_ref="oval:ssg:ste:413"/>
</unix:password_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="idle delay is configured" id="oval:ssg:tst:270" version="1">
<ind:object object_ref="oval:ssg:obj:414"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change idle_activation_enabled" id="oval:ssg:tst:271" version="1">
<ind:object object_ref="oval:ssg:obj:415"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:273" version="1">
<unix:object object_ref="oval:ssg:obj:416"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="Check if there aren't directories in root's path having write permission set for group or other" id="oval:ssg:tst:275" version="1">
<unix:object object_ref="oval:ssg:obj:417"/>
</unix:file_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:108" version="1">
<ind:object object_ref="oval:ssg:obj:119"/>
<ind:state state_ref="oval:ssg:ste:120"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg:tst:109" version="1">
<linux:object object_ref="oval:ssg:obj:121"/>
<linux:state state_ref="oval:ssg:ste:122"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg:tst:110" version="1">
<linux:object object_ref="oval:ssg:obj:123"/>
<linux:state state_ref="oval:ssg:ste:124"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="oval:ssg:tst:277" version="1">
<ind:object object_ref="oval:ssg:obj:418"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:279" version="1">
<unix:object object_ref="oval:ssg:obj:419"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:280" version="1">
<unix:object object_ref="oval:ssg:obj:421"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="virtual consoles /etc/securetty" id="oval:ssg:tst:282" version="1">
<ind:object object_ref="oval:ssg:obj:422"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:284" check="all" comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:423"/>
<ind:state state_ref="oval:ssg:ste:424"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:286" version="1">
<ind:object object_ref="oval:ssg:obj:425"/>
<ind:state state_ref="oval:ssg:ste:426"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is enabled" id="oval:ssg:tst:288" version="1">
<ind:object object_ref="oval:ssg:obj:427"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock cannot be changed by user" id="oval:ssg:tst:289" version="1">
<ind:object object_ref="oval:ssg:obj:428"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is set correctly" id="oval:ssg:tst:290" version="1">
<ind:object object_ref="oval:ssg:obj:429"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay cannot be changed by user" id="oval:ssg:tst:291" version="1">
<ind:object object_ref="oval:ssg:obj:430"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Banner for FTP Users" id="oval:ssg:tst:293" version="1">
<ind:object object_ref="oval:ssg:obj:431"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay is configured" id="oval:ssg:tst:295" version="1">
<ind:object object_ref="oval:ssg:obj:432"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change screensaver idle delay" id="oval:ssg:tst:296" version="1">
<ind:object object_ref="oval:ssg:obj:433"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay setting is correct" id="oval:ssg:tst:297" version="1">
<ind:object object_ref="oval:ssg:obj:434"/>
<ind:state state_ref="oval:ssg:ste:435"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode" id="oval:ssg:tst:299" version="1">
<ind:object object_ref="oval:ssg:obj:436"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that the systemd rescue.service is in the runlevel1.target" id="oval:ssg:tst:300" version="1">
<ind:object object_ref="oval:ssg:obj:437"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:tst:302" version="1">
<unix:object object_ref="oval:ssg:obj:438"/>
</unix:file_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:tst:301" version="1">
<unix:object object_ref="oval:ssg:obj:439"/>
</unix:file_test>
</tests>
<objects>
<ind:textfilecontent54_object comment="Ensure more than one NTP server is set" id="oval:ssg:obj:303" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:304" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:305" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:family_object id="oval:ssg:obj:111" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:113" version="1">
<linux:name>fedora-release</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:307" version="1">
<linux:name>openssh-server</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:308" version="1">
<linux:name>dconf</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:440" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MAX_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:309" version="1">
<ind:var_ref>oval:ssg:var:441</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary directories" id="oval:ssg:obj:311" version="1">
<!-- Check that /bin, /sbin, /usr/sbin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:312" version="1">
<!-- Check that files within /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:313" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:316" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:317" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-enable$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:318" version="1">
<!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:319" version="1">
<!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:320" version="2">
<ind:filepath>/etc/sysconfig/prelink</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:444" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last ENCRYPT_METHOD directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of ENCRYPT_METHOD directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:321" version="1">
<ind:var_ref>oval:ssg:var:445</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="home directories" id="oval:ssg:obj:323" version="2">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="exclude">oval:ssg:ste:446</filter>
<filter action="include">oval:ssg:ste:324</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:325" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:327" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:328" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:329" version="1">
<!-- Read whole /etc/pam.d/password-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:330" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:331" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:332" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:333" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_enable[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:334" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_std_format[\s]*=[\s]*NO$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:335" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*log_ftp_protocol[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:336" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=\'\'$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:337" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/picture-uri$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:340" version="1">
<ind:filepath>/etc/sysctl.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:338" version="1">
<unix:name>kernel.exec-shield</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:341" version="1">
<ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">[\s]*noexec[\s]*=[\s]*off</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:342" version="1">
<linux:name>ntp</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:343" version="1">
<linux:name>net-snmp</linux:name>
</linux:rpminfo_object>
<unix:uname_object comment="64 bit architecture" id="oval:ssg:obj:344" version="1"/>
<ind:textfilecontent54_object id="oval:ssg:obj:346" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:348" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:349" version="1">
<linux:name>McAfeeVSEForLinux</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:350" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:352" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:354" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:355" version="1">
<ind:path>/etc/yum.repos.d</ind:path>
<ind:filename operation="pattern match">.*</ind:filename>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:356" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-text$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:357" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^banner-message-text=[\s']*([^']*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for .netrc in /home" id="oval:ssg:obj:359" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename operation="pattern match">^\.netrc$</unix:filename>
</unix:file_object>
<unix:uname_object comment="32 bit architecture" id="oval:ssg:obj:360" version="1"/>
<ind:textfilecontent54_object comment="Ensure at least one NTP server is set" id="oval:ssg:obj:362" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:363" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:365" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:366" version="1">
<linux:name>vsftpd</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:367" version="2">
<ind:filepath>/etc/exports</ind:filepath>
<ind:pattern operation="pattern match">^(.*?(\binsecure_locks\b)[^$]*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:368" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:369" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ucredit[s\]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:371" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:372" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:373" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:374" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:375" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:376" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:377" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:378" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/sshd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:379" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:381" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:115" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:117" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:382" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:448" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_WARN_AGE directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_WARN_AGE directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:384" version="1">
<ind:var_ref>oval:ssg:var:449</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:386" version="1">
<!-- Check that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
and /usr/local/sbin directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:450</filter>
<filter action="exclude">oval:ssg:ste:451</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:387" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:389" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:391" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:392" version="1">
<!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:393" version="1">
<!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:394" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="serial ports /etc/securetty" id="oval:ssg:obj:395" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^ttyS[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:396" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^difok[\s]*=[\s]*(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:398" comment="gpgcheck set in /etc/yum.conf" version="1">
<ind:filepath>/etc/yum.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:454" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_LEN directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_LEN directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:399" version="1">
<ind:var_ref>oval:ssg:var:455</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:401" version="1">
<ind:filepath>/etc/issue</ind:filepath>
<ind:pattern var_ref="oval:ssg:var:456" operation="pattern match"/>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:402" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:403" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/thumbnailers/disable-all$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:404" version="2">
<ind:filepath>/etc/dconf/profile/user</ind:filepath>
<ind:pattern operation="pattern match">^user-db:user\nsystem-db:local$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:407" version="1">
<ind:filepath>/etc/sysctl.d/ipv6.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:405" version="1">
<unix:name>net.ipv6.conf.all.disable_ipv6</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:408" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:410" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:411" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:password_object id="oval:ssg:obj:412" version="1">
<unix:username operation="pattern match">.*</unix:username>
</unix:password_object>
<ind:textfilecontent54_object id="oval:ssg:obj:414" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:415" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/idle-activation-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:416" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/ntpd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:environmentvariable58_object id="oval:ssg:obj:457" version="1">
<ind:pid xsi:nil="true" datatype="int"/>
<ind:name>PATH</ind:name>
</ind:environmentvariable58_object>
<unix:file_object comment="root's path directories with wrong group / other write permissions" id="oval:ssg:obj:417" version="1">
<unix:path var_ref="oval:ssg:var:458" var_check="at least one"/>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:459</filter>
<filter action="exclude">oval:ssg:ste:460</filter>
</unix:file_object>
<ind:family_object id="oval:ssg:obj:119" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:121" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:123" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:418" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:419" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:421" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object comment="virtual consoles /etc/securetty" id="oval:ssg:obj:422" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^vc/[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:461" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:423" version="1">
<ind:var_ref>oval:ssg:var:462</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:425" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:427" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:428" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:429" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=0$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:430" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="Banner for FTP Users" id="oval:ssg:obj:431" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*banner_file[\s]*=[\s]*/etc/issue*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:432" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=[0-9]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:433" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/session/idle-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:434" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^idle-delay[\s=]*([^=\s]*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:436" version="1">
<ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart=\-.*/sbin/sulogin</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:437" version="1">
<ind:filepath>/usr/lib/systemd/system/runlevel1.target</ind:filepath>
<ind:pattern operation="pattern match">^Requires=.*rescue.service</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:obj:438" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^rescue.service$</unix:filename>
</unix:file_object>
<unix:file_object comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:obj:439" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^runlevel1.target$</unix:filename>
</unix:file_object>
</objects>
<states>
<ind:textfilecontent54_state id="oval:ssg:ste:306" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:463"/>
</ind:textfilecontent54_state>
<ind:family_state id="oval:ssg:ste:112" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:114" version="1">
<linux:version operation="pattern match">^19$</linux:version>
</linux:rpminfo_state>
<ind:variable_state id="oval:ssg:ste:310" version="1">
<ind:value operation="less than or equal" var_ref="oval:ssg:var:464" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:442" version="1" operator="OR">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" id="oval:ssg:ste:314" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg:var:465"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" id="oval:ssg:ste:315" version="1">
<ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:443" version="1">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:322" version="1">
<ind:value operation="equals" datatype="string">SHA512</ind:value>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:446" version="1">
<!-- Exclude /home directory itself from the check. Check /home/* directories only. -->
<unix:path operation="equals">/home</unix:path>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:324" version="1" operator="OR">
<unix:suid datatype="boolean">true</unix:suid>
<unix:sgid datatype="boolean">true</unix:sgid>
<unix:sticky datatype="boolean">true</unix:sticky>
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:oread datatype="boolean">true</unix:oread>
<unix:owrite datatype="boolean">true</unix:owrite>
<unix:oexec datatype="boolean">true</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:326" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:466"/>
</ind:textfilecontent54_state>
<unix:sysctl_state id="oval:ssg:ste:339" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<unix:uname_state comment="64 bit architecture" id="oval:ssg:ste:345" version="1">
<unix:processor_type operation="equals">x86_64</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:347" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:467"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:351" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:468"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:353" version="1">
<unix:uexec datatype="boolean">false</unix:uexec>
<unix:gread datatype="boolean">false</unix:gread>
<unix:gwrite datatype="boolean">false</unix:gwrite>
<unix:gexec datatype="boolean">false</unix:gexec>
<unix:oread datatype="boolean">false</unix:oread>
<unix:owrite datatype="boolean">false</unix:owrite>
<unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:358" version="1">
<ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg:var:456"/>
</ind:textfilecontent54_state>
<unix:uname_state comment="32 bit architecture" id="oval:ssg:ste:361" version="1">
<unix:processor_type operation="equals">i686</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:364" version="1">
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:370" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:469"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:447" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:380" version="1">
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:470"/>
</ind:textfilecontent54_state>
<linux:rpminfo_state id="oval:ssg:ste:116" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:118" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<ind:textfilecontent54_state id="oval:ssg:ste:383" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:471"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:385" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:472" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:450" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:451" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:388" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:473"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:390" version="1">
<unix:user_id datatype="int">0</unix:user_id>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:452" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:453" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:397" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:474"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:400" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:475" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:sysctl_state id="oval:ssg:ste:406" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<ind:textfilecontent54_state id="oval:ssg:ste:409" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:476"/>
</ind:textfilecontent54_state>
<unix:password_state id="oval:ssg:ste:413" version="1">
<unix:password>x</unix:password>
</unix:password_state>
<unix:file_state comment="group or other has write privilege" id="oval:ssg:ste:459" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state comment="symbolic link" id="oval:ssg:ste:460" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:family_state id="oval:ssg:ste:120" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:122" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:124" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<unix:file_state id="oval:ssg:ste:420" version="1">
<unix:group_id datatype="int">0</unix:group_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:424" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:477" datatype="int" var_check="at least one"/>
</ind:variable_state>
<ind:textfilecontent54_state id="oval:ssg:ste:426" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:478"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:435" version="1">
<ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:479"/>
</ind:textfilecontent54_state>
</states>
<variables>
<external_variable comment="External variable for pam_cracklib minclass" datatype="int" id="oval:ssg:var:463" version="1"/>
<local_variable id="oval:ssg:var:441" datatype="int" comment="The value of last PASS_MAX_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MAX_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:440"/>
</regex_capture>
</local_variable>
<external_variable comment="Maximum password age" datatype="int" id="oval:ssg:var:464" version="1"/>
<external_variable comment="timeout value" datatype="int" id="oval:ssg:var:465" version="1"/>
<local_variable id="oval:ssg:var:445" datatype="string" comment="The value of last ENCRYPT_METHOD directive in /etc/login.defs" version="1">
<regex_capture pattern="ENCRYPT_METHOD\s+(\w+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:444"/>
</regex_capture>
</local_variable>
<external_variable id="oval:ssg:var:466" datatype="int" comment="number of failed login attempts allowed" version="1"/>
<external_variable comment="External variable for pam_cracklib retry" datatype="int" id="oval:ssg:var:467" version="1"/>
<external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="oval:ssg:var:468" version="1"/>
<external_variable comment="external variable for GDM login banner text" datatype="string" id="oval:ssg:var:456" version="1"/>
<external_variable comment="External variable for pam_cracklib ucredit" datatype="int" id="oval:ssg:var:469" version="1"/>
<external_variable comment="number of passwords that should be remembered" datatype="int" id="oval:ssg:var:470" version="1"/>
<external_variable comment="External variable for pam_cracklib ocredit" datatype="int" id="oval:ssg:var:471" version="1"/>
<local_variable id="oval:ssg:var:449" datatype="int" comment="The value of last PASS_WARN_AGE directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_WARN_AGE\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:448"/>
</regex_capture>
</local_variable>
<external_variable comment="password expiration warning age in days" datatype="int" id="oval:ssg:var:472" version="1"/>
<external_variable comment="External variable for pam_cracklib maxrepeat" datatype="int" id="oval:ssg:var:473" version="1"/>
<external_variable comment="External variable for pam_cracklib difok" datatype="int" id="oval:ssg:var:474" version="1"/>
<local_variable id="oval:ssg:var:455" datatype="int" comment="The value of last PASS_MIN_LEN directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_LEN\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:454"/>
</regex_capture>
</local_variable>
<external_variable comment="Password minimum length" datatype="int" id="oval:ssg:var:475" version="1"/>
<external_variable comment="External variable for pam_cracklib lcredit" datatype="int" id="oval:ssg:var:476" version="1"/>
<local_variable comment="Split the PATH on the : delimiter" datatype="string" id="oval:ssg:var:458" version="1">
<split delimiter=":">
<object_component item_field="value" object_ref="oval:ssg:obj:457"/>
</split>
</local_variable>
<local_variable id="oval:ssg:var:462" datatype="int" comment="The value of last PASS_MIN_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:461"/>
</regex_capture>
</local_variable>
<external_variable comment="Minimum password age in days" datatype="int" id="oval:ssg:var:477" version="1"/>
<external_variable comment="External variable for pam_cracklib dcredit" datatype="int" id="oval:ssg:var:478" version="1"/>
<external_variable comment="inactivity timeout variable" datatype="string" id="oval:ssg:var:479" version="1"/>
</variables>
</oval_definitions></ds:component></ds:data-stream-collection>
xccdf_org.ssgproject.content_profile_commonfalse��������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/data_dir_template/config_test.ini���������������������������������������0000644�0001751�0000033�00000000345�13163222324�023064� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������[General]
jobs=8
[Tools]
oscap=/a/b/c/oscap
oscap-ssh=/d/e/f/oscap-ssh
oscap-vm=/openscap/bin/oscap-vm
oscap-docker=/g/h/i/j/oscap-docker
[Content]
ssg=/g/h/i/ssg/content
[CVEScanner]
fetch-cve-url=http://a.b.com/some/folder/
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/data_dir_template/config.ini��������������������������������������������0000644�0001751�0000033�00000000363�13163222324�022025� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������[General]
tasks-dir=./tasks
results-dir=./results
work-in-progress-dir=./work_in_progress
cve-feeds-dir=./cve_feeds
jobs=4
max-results-to-keep=100
[Tools]
oscap=
oscap-ssh=
oscap-vm=
oscap-docker=
[Content]
ssg=
[CVEScanner]
fetch-cve-url=
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/testing_data/�����������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�017061� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/testing_data/evaluation_spec_oval.xml�����������������������������������0000644�0001751�0000033�00020007525�13163222324�024020� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������ovallocalhost<?xml version="1.0" encoding="utf-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:red-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>Red Hat OVAL Patch Definition Merger</oval:product_name>
<oval:product_version>3</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2016-03-06T22:23:02</oval:timestamp>
</generator>
<definitions>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140675" version="601">
<metadata>
<title>RHSA-2014:0675: java-1.7.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0675-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0675.html" source="RHSA"/>
<reference ref_id="CVE-2014-0429" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0429.html" source="CVE"/>
<reference ref_id="CVE-2014-0446" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0446.html" source="CVE"/>
<reference ref_id="CVE-2014-0451" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0451.html" source="CVE"/>
<reference ref_id="CVE-2014-0452" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0452.html" source="CVE"/>
<reference ref_id="CVE-2014-0453" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0453.html" source="CVE"/>
<reference ref_id="CVE-2014-0454" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0454.html" source="CVE"/>
<reference ref_id="CVE-2014-0455" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0455.html" source="CVE"/>
<reference ref_id="CVE-2014-0456" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0456.html" source="CVE"/>
<reference ref_id="CVE-2014-0457" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0457.html" source="CVE"/>
<reference ref_id="CVE-2014-0458" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0458.html" source="CVE"/>
<reference ref_id="CVE-2014-0459" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0459.html" source="CVE"/>
<reference ref_id="CVE-2014-0460" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0460.html" source="CVE"/>
<reference ref_id="CVE-2014-0461" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0461.html" source="CVE"/>
<reference ref_id="CVE-2014-1876" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1876.html" source="CVE"/>
<reference ref_id="CVE-2014-2397" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2397.html" source="CVE"/>
<reference ref_id="CVE-2014-2398" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2398.html" source="CVE"/>
<reference ref_id="CVE-2014-2402" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2402.html" source="CVE"/>
<reference ref_id="CVE-2014-2403" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2403.html" source="CVE"/>
<reference ref_id="CVE-2014-2412" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2412.html" source="CVE"/>
<reference ref_id="CVE-2014-2413" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2413.html" source="CVE"/>
<reference ref_id="CVE-2014-2414" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2414.html" source="CVE"/>
<reference ref_id="CVE-2014-2421" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2421.html" source="CVE"/>
<reference ref_id="CVE-2014-2423" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2423.html" source="CVE"/>
<reference ref_id="CVE-2014-2427" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2427.html" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
An input validation flaw was discovered in the medialib library in the 2D
component. A specially crafted image could trigger Java Virtual Machine
memory corruption when processed. A remote attacker, or an untrusted Java
application or applet, could possibly use this flaw to execute arbitrary
code with the privileges of the user running the Java Virtual Machine.
(CVE-2014-0429)
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK.
An untrusted Java application or applet could use these flaws to trigger
Java Virtual Machine memory corruption and possibly bypass Java sandbox
restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)
Multiple improper permission check issues were discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2014-0457,
CVE-2014-0455, CVE-2014-0461)
Multiple improper permission check issues were discovered in the AWT,
JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK.
An untrusted Java application or applet could use these flaws to bypass
certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451,
CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402,
CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459)
Multiple flaws were identified in the Java Naming and Directory Interface
(JNDI) DNS client. These flaws could make it easier for a remote attacker
to perform DNS spoofing attacks. (CVE-2014-0460)
It was discovered that the JAXP component did not properly prevent access
to arbitrary files when a SecurityManager was present. This flaw could
cause a Java application using JAXP to leak sensitive information, or
affect application availability. (CVE-2014-2403)
It was discovered that the Security component in OpenJDK could leak some
timing information when performing PKCS#1 unpadding. This could possibly
lead to the disclosure of some information that was meant to be protected
by encryption. (CVE-2014-0453)
It was discovered that the fix for CVE-2013-5797 did not properly resolve
input sanitization flaws in javadoc. When javadoc documentation was
generated from an untrusted Java source code and hosted on a domain not
controlled by the code author, these issues could make it easier to perform
cross-site scripting (XSS) attacks. (CVE-2014-2398)
An insecure temporary file use flaw was found in the way the unpack200
utility created log files. A local attacker could possibly use this flaw to
perform a symbolic link attack and overwrite arbitrary files with the
privileges of the user running unpack200. (CVE-2014-1876)
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0429.html">CVE-2014-0429</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0446.html">CVE-2014-0446</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0451.html">CVE-2014-0451</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0452.html">CVE-2014-0452</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0453.html">CVE-2014-0453</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0454.html">CVE-2014-0454</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0455.html">CVE-2014-0455</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0456.html">CVE-2014-0456</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0457.html">CVE-2014-0457</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0458.html">CVE-2014-0458</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0459.html">CVE-2014-0459</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0460.html">CVE-2014-0460</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0461.html">CVE-2014-0461</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1876.html">CVE-2014-1876</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2397.html">CVE-2014-2397</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2398.html">CVE-2014-2398</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2402.html">CVE-2014-2402</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2403.html">CVE-2014-2403</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2412.html">CVE-2014-2412</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2413.html">CVE-2014-2413</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2414.html">CVE-2014-2414</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2421.html">CVE-2014-2421</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2423.html">CVE-2014-2423</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2427.html">CVE-2014-2427</cve>
<bugzilla href="https://bugzilla.redhat.com/1060907" id="1060907">CVE-2014-1876 OpenJDK: insecure temporary file use in unpack200 (Libraries, 8033618)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086632" id="1086632">CVE-2014-2398 OpenJDK: insufficient escaping of window title string (Javadoc, 8026736)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086645" id="1086645">CVE-2014-0453 OpenJDK: RSA unpadding timing issues (Security, 8027766)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087409" id="1087409">CVE-2014-0429 OpenJDK: Incorrect mlib/raster image validation (2D, 8027841)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087411" id="1087411">CVE-2014-0457 OpenJDK: ServiceLoader Exception handling security bypass (Libraries, 8031394)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087413" id="1087413">CVE-2014-0456 OpenJDK: System.arraycopy() element race condition (Hotspot, 8029858)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087417" id="1087417">CVE-2014-2421 OpenJDK: JPEG decoder input stream handling (2D, 8029854)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087423" id="1087423">CVE-2014-2397 OpenJDK: classfile parser invalid BootstrapMethods attribute length (Hotspot, 8034926)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087424" id="1087424">CVE-2014-0455 OpenJDK: MethodHandle variable argument lists handling (Libraries, 8029844)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087426" id="1087426">CVE-2014-0461 OpenJDK: Better ScriptEngineManager ScriptEngine management (Libraries, 8036794)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087427" id="1087427">CVE-2014-2412 OpenJDK: AWT thread context handling (AWT, 8025010)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087428" id="1087428">CVE-2014-0451 OpenJDK: AWT incorrect FlavorMap seperation (AWT, 8026797)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087430" id="1087430">CVE-2014-0458 OpenJDK: Activation framework default command map caching (JAX-WS, 8025152)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087431" id="1087431">CVE-2014-2414 OpenJDK: incorrect caching of data initialized via TCCL (JAXB, 8025030)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087434" id="1087434">CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087436" id="1087436">CVE-2014-0452 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087438" id="1087438">CVE-2014-2402 OpenJDK: Incorrect NIO channel separation (Libraries, 8026716)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087439" id="1087439">CVE-2014-0446 OpenJDK: Protect logger handlers (Libraries, 8029740)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087440" id="1087440">CVE-2014-0454 OpenJDK: Prevent SIGNATURE_PRIMITIVE_SET from being modified (Security, 8029745)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087441" id="1087441">CVE-2014-2427 OpenJDK: remove insecure Java Sound provider caching (Sound, 8026163)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087442" id="1087442">CVE-2014-0460 OpenJDK: missing randomization of JNDI DNS client query IDs (JNDI, 8030731)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087443" id="1087443">CVE-2014-2403 OpenJDK: JAXP CharInfo file access restriction (JAXP, 8029282)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087444" id="1087444">CVE-2014-0459 lcms: insufficient ICC profile version validation (OpenJDK 2D, 8031335)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087446" id="1087446">CVE-2014-2413 OpenJDK: method handle call hierachy bypass (Libraries, 8032686)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675017"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675013"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675005"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675007"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675011"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675015"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.55-2.4.7.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140675009"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140678" version="601">
<metadata>
<title>RHSA-2014:0678: kernel security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0678-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0678.html" source="RHSA"/>
<reference ref_id="CVE-2014-0196" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0196.html" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A race condition flaw, leading to heap-based buffer overflows, was found
in the way the Linux kernel's N_TTY line discipline (LDISC) implementation
handled concurrent processing of echo output and TTY write operations
originating from user space when the underlying TTY driver was PTY.
An unprivileged, local user could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2014-0196,
Important)
All kernel users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0196.html">CVE-2014-0196</cve>
<bugzilla href="https://bugzilla.redhat.com/1094232" id="1094232">CVE-2014-0196 kernel: pty layer race condition leading to memory corruption</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678009"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678029"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678023"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678019"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678027"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678017"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678021"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678015"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678011"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140678013"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140679" version="601">
<metadata>
<title>RHSA-2014:0679: openssl security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0679-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0679.html" source="RHSA"/>
<reference ref_id="CVE-2010-5298" ref_url="https://www.redhat.com/security/data/cve/CVE-2010-5298.html" source="CVE"/>
<reference ref_id="CVE-2014-0195" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0195.html" source="CVE"/>
<reference ref_id="CVE-2014-0198" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0198.html" source="CVE"/>
<reference ref_id="CVE-2014-0221" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0221.html" source="CVE"/>
<reference ref_id="CVE-2014-0224" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0224.html" source="CVE"/>
<reference ref_id="CVE-2014-3470" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3470.html" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
It was found that OpenSSL clients and servers could be forced, via a
specially crafted handshake packet, to use weak keying material for
communication. A man-in-the-middle attacker could use this flaw to decrypt
and modify traffic between a client and a server. (CVE-2014-0224)
Note: In order to exploit this flaw, both the server and the client must be
using a vulnerable version of OpenSSL; the server must be using OpenSSL
version 1.0.1 and above, and the client must be using any version of
OpenSSL. For more information about this flaw, refer to:
https://access.redhat.com/site/articles/904433
A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS
packet fragments. A remote attacker could possibly use this flaw to execute
arbitrary code on a DTLS client or server. (CVE-2014-0195)
Multiple flaws were found in the way OpenSSL handled read and write buffers
when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or
server using OpenSSL could crash or unexpectedly drop connections when
processing certain SSL traffic. (CVE-2010-5298, CVE-2014-0198)
A denial of service flaw was found in the way OpenSSL handled certain DTLS
ServerHello requests. A specially crafted DTLS handshake packet could cause
a DTLS client using OpenSSL to crash. (CVE-2014-0221)
A NULL pointer dereference flaw was found in the way OpenSSL performed
anonymous Elliptic Curve Diffie Hellman (ECDH) key exchange. A specially
crafted handshake packet could cause a TLS/SSL client that has the
anonymous ECDH cipher suite enabled to crash. (CVE-2014-3470)
Red Hat would like to thank the OpenSSL project for reporting these issues.
Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter
of CVE-2014-0224, Jüri Aedla as the original reporter of CVE-2014-0195,
Imre Rad of Search-Lab as the original reporter of CVE-2014-0221, and Felix
Gröbert and Ivan Fratrić of Google as the original reporters of
CVE-2014-3470.
All OpenSSL users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2010-5298.html">CVE-2010-5298</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0195.html">CVE-2014-0195</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0198.html">CVE-2014-0198</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0221.html">CVE-2014-0221</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0224.html">CVE-2014-0224</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3470.html">CVE-2014-3470</cve>
<bugzilla href="https://bugzilla.redhat.com/1087195" id="1087195">CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1093837" id="1093837">CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL pointer dereference in do_ssl3_write()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1103586" id="1103586">CVE-2014-0224 openssl: SSL/TLS MITM vulnerability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1103593" id="1103593">CVE-2014-0221 openssl: DoS when sending invalid DTLS handshake</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1103598" id="1103598">CVE-2014-0195 openssl: Buffer overflow via DTLS invalid fragment</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1103600" id="1103600">CVE-2014-3470 openssl: client-side denial of service when using anonymous ECDH</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679011"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679007"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20140679013"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140680" version="601">
<metadata>
<title>RHSA-2014:0680: openssl098e security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0680-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0680.html" source="RHSA"/>
<reference ref_id="CVE-2014-0224" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0224.html" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
It was found that OpenSSL clients and servers could be forced, via a
specially crafted handshake packet, to use weak keying material for
communication. A man-in-the-middle attacker could use this flaw to decrypt
and modify traffic between a client and a server. (CVE-2014-0224)
Note: In order to exploit this flaw, both the server and the client must be
using a vulnerable version of OpenSSL; the server must be using OpenSSL
version 1.0.1 and above, and the client must be using any version of
OpenSSL. For more information about this flaw, refer to:
https://access.redhat.com/site/articles/904433
Red Hat would like to thank the OpenSSL project for reporting this issue.
Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter
of this issue.
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0224.html">CVE-2014-0224</cve>
<bugzilla href="https://bugzilla.redhat.com/1103586" id="1103586">CVE-2014-0224 openssl: SSL/TLS MITM vulnerability</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="openssl098e is earlier than 0:0.9.8e-29.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140680005"/>
<criterion comment="openssl098e is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140680006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140684" version="601">
<metadata>
<title>RHSA-2014:0684: gnutls security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0684-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0684.html" source="RHSA"/>
<reference ref_id="CVE-2014-3465" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3465.html" source="CVE"/>
<reference ref_id="CVE-2014-3466" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3466.html" source="CVE"/>
<description>The GnuTLS library provides support for cryptographic algorithms and for
protocols such as Transport Layer Security (TLS).
A flaw was found in the way GnuTLS parsed session IDs from ServerHello
messages of the TLS/SSL handshake. A malicious server could use this flaw
to send an excessively long session ID value, which would trigger a buffer
overflow in a connecting TLS/SSL client application using GnuTLS, causing
the client application to crash or, possibly, execute arbitrary code.
(CVE-2014-3466)
A NULL pointer dereference flaw was found in the way GnuTLS parsed X.509
certificates. A specially crafted certificate could cause a server or
client application using GnuTLS to crash. (CVE-2014-3465)
Red Hat would like to thank GnuTLS upstream for reporting these issues.
Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original
reporter of CVE-2014-3466.
Users of GnuTLS are advised to upgrade to these updated packages, which
correct these issues. For the update to take effect, all applications
linked to the GnuTLS library must be restarted.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3465.html">CVE-2014-3465</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3466.html">CVE-2014-3466</cve>
<bugzilla href="https://bugzilla.redhat.com/1101734" id="1101734">CVE-2014-3465 gnutls: gnutls_x509_dn_oid_name NULL pointer dereference</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101932" id="1101932">CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="gnutls-devel is earlier than 0:3.1.18-9.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140684013"/>
<criterion comment="gnutls-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684014"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-utils is earlier than 0:3.1.18-9.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140684011"/>
<criterion comment="gnutls-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684012"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-dane is earlier than 0:3.1.18-9.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140684007"/>
<criterion comment="gnutls-dane is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684008"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-c++ is earlier than 0:3.1.18-9.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140684009"/>
<criterion comment="gnutls-c++ is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684010"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls is earlier than 0:3.1.18-9.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140684005"/>
<criterion comment="gnutls is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684006"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140685" version="601">
<metadata>
<title>RHSA-2014:0685: java-1.6.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0685-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0685.html" source="RHSA"/>
<reference ref_id="CVE-2014-0429" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0429.html" source="CVE"/>
<reference ref_id="CVE-2014-0446" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0446.html" source="CVE"/>
<reference ref_id="CVE-2014-0451" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0451.html" source="CVE"/>
<reference ref_id="CVE-2014-0452" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0452.html" source="CVE"/>
<reference ref_id="CVE-2014-0453" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0453.html" source="CVE"/>
<reference ref_id="CVE-2014-0456" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0456.html" source="CVE"/>
<reference ref_id="CVE-2014-0457" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0457.html" source="CVE"/>
<reference ref_id="CVE-2014-0458" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0458.html" source="CVE"/>
<reference ref_id="CVE-2014-0460" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0460.html" source="CVE"/>
<reference ref_id="CVE-2014-0461" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0461.html" source="CVE"/>
<reference ref_id="CVE-2014-1876" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1876.html" source="CVE"/>
<reference ref_id="CVE-2014-2397" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2397.html" source="CVE"/>
<reference ref_id="CVE-2014-2398" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2398.html" source="CVE"/>
<reference ref_id="CVE-2014-2403" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2403.html" source="CVE"/>
<reference ref_id="CVE-2014-2412" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2412.html" source="CVE"/>
<reference ref_id="CVE-2014-2414" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2414.html" source="CVE"/>
<reference ref_id="CVE-2014-2421" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2421.html" source="CVE"/>
<reference ref_id="CVE-2014-2423" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2423.html" source="CVE"/>
<reference ref_id="CVE-2014-2427" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2427.html" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
An input validation flaw was discovered in the medialib library in the 2D
component. A specially crafted image could trigger Java Virtual Machine
memory corruption when processed. A remote attacker, or an untrusted Java
application or applet, could possibly use this flaw to execute arbitrary
code with the privileges of the user running the Java Virtual Machine.
(CVE-2014-0429)
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK.
An untrusted Java application or applet could use these flaws to trigger
Java Virtual Machine memory corruption and possibly bypass Java sandbox
restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)
Multiple improper permission check issues were discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2014-0457,
CVE-2014-0461)
Multiple improper permission check issues were discovered in the AWT,
JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass certain Java sandbox
restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423,
CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427)
Multiple flaws were identified in the Java Naming and Directory Interface
(JNDI) DNS client. These flaws could make it easier for a remote attacker
to perform DNS spoofing attacks. (CVE-2014-0460)
It was discovered that the JAXP component did not properly prevent access
to arbitrary files when a SecurityManager was present. This flaw could
cause a Java application using JAXP to leak sensitive information, or
affect application availability. (CVE-2014-2403)
It was discovered that the Security component in OpenJDK could leak some
timing information when performing PKCS#1 unpadding. This could possibly
lead to the disclosure of some information that was meant to be protected
by encryption. (CVE-2014-0453)
It was discovered that the fix for CVE-2013-5797 did not properly resolve
input sanitization flaws in javadoc. When javadoc documentation was
generated from an untrusted Java source code and hosted on a domain not
controlled by the code author, these issues could make it easier to perform
cross-site scripting (XSS) attacks. (CVE-2014-2398)
An insecure temporary file use flaw was found in the way the unpack200
utility created log files. A local attacker could possibly use this flaw to
perform a symbolic link attack and overwrite arbitrary files with the
privileges of the user running unpack200. (CVE-2014-1876)
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0429.html">CVE-2014-0429</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0446.html">CVE-2014-0446</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0451.html">CVE-2014-0451</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0452.html">CVE-2014-0452</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0453.html">CVE-2014-0453</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0456.html">CVE-2014-0456</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0457.html">CVE-2014-0457</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0458.html">CVE-2014-0458</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0460.html">CVE-2014-0460</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0461.html">CVE-2014-0461</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1876.html">CVE-2014-1876</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2397.html">CVE-2014-2397</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2398.html">CVE-2014-2398</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2403.html">CVE-2014-2403</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2412.html">CVE-2014-2412</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2414.html">CVE-2014-2414</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2421.html">CVE-2014-2421</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2423.html">CVE-2014-2423</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2427.html">CVE-2014-2427</cve>
<bugzilla href="https://bugzilla.redhat.com/1060907" id="1060907">CVE-2014-1876 OpenJDK: insecure temporary file use in unpack200 (Libraries, 8033618)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086632" id="1086632">CVE-2014-2398 OpenJDK: insufficient escaping of window title string (Javadoc, 8026736)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086645" id="1086645">CVE-2014-0453 OpenJDK: RSA unpadding timing issues (Security, 8027766)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087409" id="1087409">CVE-2014-0429 OpenJDK: Incorrect mlib/raster image validation (2D, 8027841)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087411" id="1087411">CVE-2014-0457 OpenJDK: ServiceLoader Exception handling security bypass (Libraries, 8031394)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087413" id="1087413">CVE-2014-0456 OpenJDK: System.arraycopy() element race condition (Hotspot, 8029858)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087417" id="1087417">CVE-2014-2421 OpenJDK: JPEG decoder input stream handling (2D, 8029854)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087423" id="1087423">CVE-2014-2397 OpenJDK: classfile parser invalid BootstrapMethods attribute length (Hotspot, 8034926)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087426" id="1087426">CVE-2014-0461 OpenJDK: Better ScriptEngineManager ScriptEngine management (Libraries, 8036794)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087427" id="1087427">CVE-2014-2412 OpenJDK: AWT thread context handling (AWT, 8025010)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087428" id="1087428">CVE-2014-0451 OpenJDK: AWT incorrect FlavorMap seperation (AWT, 8026797)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087430" id="1087430">CVE-2014-0458 OpenJDK: Activation framework default command map caching (JAX-WS, 8025152)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087431" id="1087431">CVE-2014-2414 OpenJDK: incorrect caching of data initialized via TCCL (JAXB, 8025030)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087434" id="1087434">CVE-2014-2423 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026188)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087436" id="1087436">CVE-2014-0452 OpenJDK: incorrect caching of data initialized via TCCL (JAXWS, 8026801)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087439" id="1087439">CVE-2014-0446 OpenJDK: Protect logger handlers (Libraries, 8029740)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087441" id="1087441">CVE-2014-2427 OpenJDK: remove insecure Java Sound provider caching (Sound, 8026163)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087442" id="1087442">CVE-2014-0460 OpenJDK: missing randomization of JNDI DNS client query IDs (JNDI, 8030731)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087443" id="1087443">CVE-2014-2403 OpenJDK: JAXP CharInfo file access restriction (JAXP, 8029282)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140685013"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140685011"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140685005"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140685009"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140685007"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140686" version="601">
<metadata>
<title>RHSA-2014:0686: tomcat security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0686-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0686.html" source="RHSA"/>
<reference ref_id="CVE-2013-4286" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4286.html" source="CVE"/>
<reference ref_id="CVE-2013-4322" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4322.html" source="CVE"/>
<reference ref_id="CVE-2014-0186" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0186.html" source="CVE"/>
<description>Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was found that a fix for a previous security flaw introduced a
regression that could cause a denial of service in Tomcat 7. A remote
attacker could use this flaw to consume an excessive amount of CPU on the
Tomcat server by sending a specially crafted request to that server.
(CVE-2014-0186)
It was found that when Tomcat 7 processed a series of HTTP requests in
which at least one request contained either multiple content-length
headers, or one content-length header with a chunked transfer-encoding
header, Tomcat would incorrectly handle the request. A remote attacker
could use this flaw to poison a web cache, perform cross-site scripting
(XSS) attacks, or obtain sensitive information from other requests.
(CVE-2013-4286)
It was discovered that the fix for CVE-2012-3544 did not properly resolve a
denial of service flaw in the way Tomcat 7 processed chunk extensions and
trailing headers in chunked requests. A remote attacker could use this flaw
to send an excessively long request that, when processed by Tomcat, could
consume network bandwidth, CPU, and memory on the Tomcat server. Note that
chunked transfer encoding is enabled by default. (CVE-2013-4322)
All Tomcat 7 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. Tomcat must be
restarted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4286.html">CVE-2013-4286</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4322.html">CVE-2013-4322</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0186.html">CVE-2014-0186</cve>
<bugzilla href="https://bugzilla.redhat.com/1069905" id="1069905">CVE-2013-4322 tomcat: incomplete fix for CVE-2012-3544</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1069921" id="1069921">CVE-2013-4286 tomcat: multiple content-length header poisoning flaws</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1089884" id="1089884">CVE-2014-0186 tomcat7: RHEL-7 regression causing DoS</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="tomcat-el-2.2-api is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686023"/>
<criterion comment="tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686024"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686005"/>
<criterion comment="tomcat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686006"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-lib is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686009"/>
<criterion comment="tomcat-lib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686010"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsp-2.2-api is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686017"/>
<criterion comment="tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686018"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-docs-webapp is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686013"/>
<criterion comment="tomcat-docs-webapp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686014"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-admin-webapps is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686015"/>
<criterion comment="tomcat-admin-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686016"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsvc is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686021"/>
<criterion comment="tomcat-jsvc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686022"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-webapps is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686007"/>
<criterion comment="tomcat-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686008"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-servlet-3.0-api is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686019"/>
<criterion comment="tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686020"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-javadoc is earlier than 0:7.0.42-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140686011"/>
<criterion comment="tomcat-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140687" version="601">
<metadata>
<title>RHSA-2014:0687: libtasn1 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0687-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0687.html" source="RHSA"/>
<reference ref_id="CVE-2014-3467" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3467.html" source="CVE"/>
<reference ref_id="CVE-2014-3468" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3468.html" source="CVE"/>
<reference ref_id="CVE-2014-3469" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3469.html" source="CVE"/>
<description>The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing
and structures management, and Distinguished Encoding Rules (DER) encoding
and decoding functions.
It was discovered that the asn1_get_bit_der() function of the libtasn1
library incorrectly reported the length of ASN.1-encoded data. Specially
crafted ASN.1 input could cause an application using libtasn1 to perform
an out-of-bounds access operation, causing the application to crash or,
possibly, execute arbitrary code. (CVE-2014-3468)
Multiple incorrect buffer boundary check issues were discovered in
libtasn1. Specially crafted ASN.1 input could cause an application using
libtasn1 to crash. (CVE-2014-3467)
Multiple NULL pointer dereference flaws were found in libtasn1's
asn1_read_value() function. Specially crafted ASN.1 input could cause an
application using libtasn1 to crash, if the application used the
aforementioned function in a certain way. (CVE-2014-3469)
Red Hat would like to thank GnuTLS upstream for reporting these issues.
All libtasn1 users are advised to upgrade to these updated packages, which
correct these issues. For the update to take effect, all applications
linked to the libtasn1 library must be restarted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3467.html">CVE-2014-3467</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3468.html">CVE-2014-3468</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3469.html">CVE-2014-3469</cve>
<bugzilla href="https://bugzilla.redhat.com/1102022" id="1102022">CVE-2014-3467 libtasn1: multiple boundary check issues</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102323" id="1102323">CVE-2014-3468 libtasn1: asn1_get_bit_der() can return negative bit length</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102329" id="1102329">CVE-2014-3469 libtasn1: asn1_read_value_type() NULL pointer dereference</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libtasn1 is earlier than 0:3.3-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140687005"/>
<criterion comment="libtasn1 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140687006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libtasn1-devel is earlier than 0:3.3-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140687009"/>
<criterion comment="libtasn1-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140687010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libtasn1-tools is earlier than 0:3.3-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140687007"/>
<criterion comment="libtasn1-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140687008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140702" version="602">
<metadata>
<title>RHSA-2014:0702: mariadb security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0702-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0702.html" source="RHSA"/>
<reference ref_id="CVE-2014-0384" ref_url="https://access.redhat.com/security/cve/CVE-2014-0384" source="CVE"/>
<reference ref_id="CVE-2014-2419" ref_url="https://access.redhat.com/security/cve/CVE-2014-2419" source="CVE"/>
<reference ref_id="CVE-2014-2430" ref_url="https://access.redhat.com/security/cve/CVE-2014-2430" source="CVE"/>
<reference ref_id="CVE-2014-2431" ref_url="https://access.redhat.com/security/cve/CVE-2014-2431" source="CVE"/>
<reference ref_id="CVE-2014-2432" ref_url="https://access.redhat.com/security/cve/CVE-2014-2432" source="CVE"/>
<reference ref_id="CVE-2014-2436" ref_url="https://access.redhat.com/security/cve/CVE-2014-2436" source="CVE"/>
<reference ref_id="CVE-2014-2438" ref_url="https://access.redhat.com/security/cve/CVE-2014-2438" source="CVE"/>
<description>MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL.
This update fixes several vulnerabilities in the MariaDB database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory page, listed in the References section. (CVE-2014-2436,
CVE-2014-2440, CVE-2014-0384, CVE-2014-2419, CVE-2014-2430, CVE-2014-2431,
CVE-2014-2432, CVE-2014-2438)
These updated packages upgrade MariaDB to version 5.5.37. Refer to the
MariaDB Release Notes listed in the References section for a complete list
of changes.
All MariaDB users should upgrade to these updated packages, which correct
these issues. After installing this update, the MariaDB server daemon
(mysqld) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0384">CVE-2014-0384</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2419">CVE-2014-2419</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2430">CVE-2014-2430</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2431">CVE-2014-2431</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2432">CVE-2014-2432</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2436">CVE-2014-2436</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2438">CVE-2014-2438</cve>
<bugzilla href="https://bugzilla.redhat.com/1088133" id="1088133">CVE-2014-0384 mysql: unspecified DoS related to XML (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088134" id="1088134">CVE-2014-2419 mysql: unspecified DoS related to Partition (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088143" id="1088143">CVE-2014-2430 mysql: unspecified DoS related to Performance Schema (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088146" id="1088146">CVE-2014-2431 mysql: unspecified DoS related to Options (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088179" id="1088179">CVE-2014-2432 mysql: unspecified DoS related to Federated (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088190" id="1088190">CVE-2014-2436 mysql: unspecified vulnerability related to RBR (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088191" id="1088191">CVE-2014-2438 mysql: unspecified DoS related to Replication (CPU April 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088197" id="1088197">CVE-2014-2440 mysql: unspecified vulnerability related to Client (CPU April 2014)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mariadb is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702005"/>
<criterion comment="mariadb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702006"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-bench is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702011"/>
<criterion comment="mariadb-bench is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-devel is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702017"/>
<criterion comment="mariadb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702018"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702013"/>
<criterion comment="mariadb-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702014"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded-devel is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702009"/>
<criterion comment="mariadb-embedded-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-libs is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702007"/>
<criterion comment="mariadb-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-server is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702019"/>
<criterion comment="mariadb-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702020"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-test is earlier than 1:5.5.37-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140702015"/>
<criterion comment="mariadb-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140703" version="601">
<metadata>
<title>RHSA-2014:0703: json-c security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0703-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0703.html" source="RHSA"/>
<reference ref_id="CVE-2013-6370" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-6370.html" source="CVE"/>
<reference ref_id="CVE-2013-6371" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-6371.html" source="CVE"/>
<description>JSON-C implements a reference counting object model that allows you to
easily construct JSON objects in C, output them as JSON-formatted strings,
and parse JSON-formatted strings back into the C representation of
JSON objects.
Multiple buffer overflow flaws were found in the way the json-c library
handled long strings in JSON documents. An attacker able to make an
application using json-c parse excessively large JSON input could cause the
application to crash. (CVE-2013-6370)
A denial of service flaw was found in the implementation of hash arrays in
json-c. An attacker could use this flaw to make an application using json-c
consume an excessive amount of CPU time by providing a specially crafted
JSON document that triggers multiple hash function collisions. To mitigate
this issue, json-c now uses a different hash function and randomization to
reduce the chance of an attacker successfully causing intentional
collisions. (CVE-2013-6371)
These issues were discovered by Florian Weimer of the Red Hat Product
Security Team.
All json-c users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-6370.html">CVE-2013-6370</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-6371.html">CVE-2013-6371</cve>
<bugzilla href="https://bugzilla.redhat.com/1032311" id="1032311">CVE-2013-6371 json-c: hash collision DoS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1032322" id="1032322">CVE-2013-6370 json-c: buffer overflow if size_t is larger than int</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="json-c-doc is earlier than 0:0.11-4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140703009"/>
<criterion comment="json-c-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140703010"/>
</criteria>
<criteria operator="AND">
<criterion comment="json-c-devel is earlier than 0:0.11-4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140703007"/>
<criterion comment="json-c-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140703008"/>
</criteria>
<criteria operator="AND">
<criterion comment="json-c is earlier than 0:0.11-4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140703005"/>
<criterion comment="json-c is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140703006"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140704" version="601">
<metadata>
<title>RHSA-2014:0704: qemu-kvm security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0704-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0704.html" source="RHSA"/>
<reference ref_id="CVE-2014-2894" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2894.html" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide a
user-space component to run virtual machines using KVM.
An out-of-bounds memory access flaw was found in the way QEMU's IDE device
driver handled the execution of SMART EXECUTE OFFLINE commands.
A privileged guest user could use this flaw to corrupt QEMU process memory
on the host, which could potentially result in arbitrary code execution on
the host with the privileges of the QEMU process. (CVE-2014-2894)
This update also fixes the following bugs:
* Prior to this update, a bug in the migration code caused the following
error on specific machine types: after a Red Hat Enterprise Linux 6.5 guest
was migrated from a Red Hat Enterprise Linux 6.5 host to a Red Hat
Enterprise Linux 7.0 host and then restarted, the boot failed and the guest
automatically restarted. Thus, the guest entered an endless loop. With this
update, the migration code has been fixed and the Red Hat Enterprise Linux
6.5 guests migrated in the aforementioned scenario now boot properly.
(BZ#1091322)
* Due to a regression bug in the iSCSI driver, the qemu-kvm process
terminated unexpectedly with a segmentation fault when the "write same"
command was executed in guest mode under the iSCSI protocol. This update
fixes the regression and the "write same" command now functions in guest
mode under iSCSI as intended. (BZ#1090978)
* Due to a mismatch in interrupt request (IRQ) routing, migration of a Red
Hat Enterprise Linux 6.5 guest from a Red Hat Enterprise Linux 6.5 host to
a Red Hat Enterprise Linux 7.0 host could produce a call trace.
This happened if memory ballooning and a Universal Host Control Interface
(UHCI) device were used at the same time on certain machine types.
With this patch, the IRQ routing mismatch has been amended and the
described migration now proceeds as expected. (BZ#1090981)
* Previously, an internal error prevented KVM from executing a CPU hot plug
on a Red Hat Enterprise Linux 7 guest running on a Red Hat Enterprise Linux
7 host. This update addresses the internal error and CPU hot plugging in
the described scenario now functions correctly. (BZ#1094820)
All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2894.html">CVE-2014-2894</cve>
<bugzilla href="https://bugzilla.redhat.com/1087971" id="1087971">CVE-2014-2894 QEMU: out of bounds buffer accesses, guest triggerable via IDE SMART</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1090978" id="1090978">qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1090981" id="1090981">Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1091322" id="1091322">fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1094820" id="1094820">Hot plug CPU not working with RHEL6 machine types running on RHEL7 host.</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704007"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704019"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704015"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704011"/>
<criterion comment="qemu-guest-agent is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704012"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704017"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704009"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704005"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-60.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140704013"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140741" version="601">
<metadata>
<title>RHSA-2014:0741: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:0741-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0741.html" source="RHSA"/>
<reference ref_id="CVE-2014-1533" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1533.html" source="CVE"/>
<reference ref_id="CVE-2014-1538" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1538.html" source="CVE"/>
<reference ref_id="CVE-2014-1541" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1541.html" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2014-1533, CVE-2014-1538, CVE-2014-1541)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Gary Kwong, Christoph Diehl, Christian Holler, Hannes
Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden, Kyle Huey,
Abhishek Arya, and Nils as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 24.6.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 24.6.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-10"/>
<updated date="2014-06-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1533.html">CVE-2014-1533</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1538.html">CVE-2014-1538</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1541.html">CVE-2014-1541</cve>
<bugzilla href="https://bugzilla.redhat.com/1107399" id="1107399">CVE-2014-1533 Mozilla: Miscellaneous memory safety hazards (rv:24.6) (MFSA 2014-48)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1107421" id="1107421">CVE-2014-1538 Mozilla: Use-after-free and out of bounds issues found using Address Sanitizer (MFSA 2014-49)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1107424" id="1107424">CVE-2014-1541 Mozilla: Use-after-free with SMIL Animation Controller (MFSA 2014-52)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:24.6.0-1.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140741002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:24.6.0-1.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140741008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:24.6.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140741014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:24.6.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140741017"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:24.6.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140741015"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140786" version="601">
<metadata>
<title>RHSA-2014:0786: kernel security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0786-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0786.html" source="RHSA"/>
<reference ref_id="CVE-2014-0206" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0206.html" source="CVE"/>
<reference ref_id="CVE-2014-1737" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1737.html" source="CVE"/>
<reference ref_id="CVE-2014-1738" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1738.html" source="CVE"/>
<reference ref_id="CVE-2014-2568" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2568.html" source="CVE"/>
<reference ref_id="CVE-2014-2851" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2851.html" source="CVE"/>
<reference ref_id="CVE-2014-3144" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3144.html" source="CVE"/>
<reference ref_id="CVE-2014-3145" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3145.html" source="CVE"/>
<reference ref_id="CVE-2014-3153" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3153.html" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's futex subsystem handled
the requeuing of certain Priority Inheritance (PI) futexes. A local,
unprivileged user could use this flaw to escalate their privileges on the
system. (CVE-2014-3153, Important)
* A use-after-free flaw was found in the way the ping_init_sock() function
of the Linux kernel handled the group_info reference counter. A local,
unprivileged user could use this flaw to crash the system or, potentially,
escalate their privileges on the system. (CVE-2014-2851, Important)
* Use-after-free and information leak flaws were found in the way the
Linux kernel's floppy driver processed the FDRAWCMD IOCTL command. A local
user with write access to /dev/fdX could use these flaws to escalate their
privileges on the system. (CVE-2014-1737, CVE-2014-1738, Important)
* It was found that the aio_read_events_ring() function of the Linux
kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO
ring head received from user space. A local, unprivileged user could use
this flaw to disclose random parts of the (physical) memory belonging to
the kernel and/or other processes. (CVE-2014-0206, Moderate)
* An out-of-bounds memory access flaw was found in the Netlink Attribute
extension of the Berkeley Packet Filter (BPF) interpreter functionality in
the Linux kernel's networking implementation. A local, unprivileged user
could use this flaw to crash the system or leak kernel memory to user space
via a specially crafted socket filter. (CVE-2014-3144, CVE-2014-3145,
Moderate)
* An information leak flaw was found in the way the skb_zerocopy() function
copied socket buffers (skb) that are backed by user-space buffers (for
example vhost-net and Xen netback), potentially allowing an attacker to
read data from those buffers. (CVE-2014-2568, Low)
Red Hat would like to thank Kees Cook of Google for reporting
CVE-2014-3153 and Matthew Daley for reporting CVE-2014-1737 and CVE-2014-1738. Google acknowledges Pinkie Pie as the original reporter of
CVE-2014-3153. The CVE-2014-0206 issue was discovered by Mateusz Guzik of
Red Hat.
This update also fixes the following bugs:
* Due to incorrect calculation of Tx statistics in the qlcninc driver,
running the "ethtool -S ethX" command could trigger memory corruption.
As a consequence, running the sosreport tool, that uses this command,
resulted in a kernel panic. The problem has been fixed by correcting the
said statistics calculation. (BZ#1104972)
* When an attempt to create a file on the GFS2 file system failed due to a
file system quota violation, the relevant VFS inode was not completely
uninitialized. This could result in a list corruption error. This update
resolves this problem by correctly uninitializing the VFS inode in this
situation. (BZ#1097407)
* Due to a race condition in the kernel, the getcwd() system call could
return "/" instead of the correct full path name when querying a path name
of a file or directory. Paths returned in the "/proc" file system could
also be incorrect. This problem was causing instability of various
applications. The aforementioned race condition has been fixed and getcwd()
now always returns the correct paths. (BZ#1099048)
In addition, this update adds the following enhancements:
* The kernel mutex code has been improved. The changes include improved
queuing of the MCS spin locks, the MCS code optimization, introduction of
the cancellable MCS spin locks, and improved handling of mutexes without
wait locks. (BZ#1103631, BZ#1103629)
* The handling of the Virtual Memory Area (VMA) cache and huge page faults
has been improved. (BZ#1103630)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements. The system must be rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-24"/>
<updated date="2014-06-24"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0206.html">CVE-2014-0206</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1737.html">CVE-2014-1737</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1738.html">CVE-2014-1738</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2568.html">CVE-2014-2568</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2851.html">CVE-2014-2851</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3144.html">CVE-2014-3144</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3145.html">CVE-2014-3145</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3153.html">CVE-2014-3153</cve>
<bugzilla href="https://bugzilla.redhat.com/1079012" id="1079012">CVE-2014-2568 kernel: net: potential information leak when ubuf backed skbs are skb_zerocopy()ied</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086730" id="1086730">CVE-2014-2851 kernel: net: ping: refcount issue in ping_init_sock() function</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1094299" id="1094299">CVE-2014-1737 CVE-2014-1738 kernel: block: floppy: privilege escalation via FDRAWCMD floppy ioctl command</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1094602" id="1094602">CVE-2014-0206 kernel: aio: insufficient sanitization of head in aio_read_events_ring()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1096775" id="1096775">CVE-2014-3144 CVE-2014-3145 Kernel: filter: prevent nla extensions to peek beyond the end of the message</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1103626" id="1103626">CVE-2014-3153 kernel: futex: pi futexes requeue issue</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786031"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786019"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786017"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786011"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786015"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786033"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786021"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786013"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786009"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20140786023"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140790" version="601">
<metadata>
<title>RHSA-2014:0790: dovecot security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0790-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0790.html" source="RHSA"/>
<reference ref_id="CVE-2014-3430" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3430.html" source="CVE"/>
<description>Dovecot is an IMAP server, written with security primarily in mind, for
Linux and other UNIX-like systems. It also contains a small POP3 server.
It supports mail in both the maildir or mbox format. The SQL drivers and
authentication plug-ins are provided as subpackages.
It was discovered that Dovecot did not properly discard connections trapped
in the SSL/TLS handshake phase. A remote attacker could use this flaw to
cause a denial of service on an IMAP/POP3 server by exhausting the pool of
available connections and preventing further, legitimate connections to the
IMAP/POP3 server to be made. (CVE-2014-3430)
All dovecot users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
updated packages, the dovecot service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-06-25"/>
<updated date="2014-06-25"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3430.html">CVE-2014-3430</cve>
<bugzilla href="https://bugzilla.redhat.com/1096402" id="1096402">CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="dovecot-pigeonhole is earlier than 1:2.0.9-7.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140790007"/>
<criterion comment="dovecot-pigeonhole is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790008"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot-mysql is earlier than 1:2.0.9-7.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140790009"/>
<criterion comment="dovecot-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790010"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot is earlier than 1:2.0.9-7.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140790005"/>
<criterion comment="dovecot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790006"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot-devel is earlier than 1:2.0.9-7.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140790011"/>
<criterion comment="dovecot-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790012"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot-pgsql is earlier than 1:2.0.9-7.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140790013"/>
<criterion comment="dovecot-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="dovecot-pigeonhole is earlier than 1:2.2.10-4.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140790020"/>
<criterion comment="dovecot-pigeonhole is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790008"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot-mysql is earlier than 1:2.2.10-4.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140790021"/>
<criterion comment="dovecot-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790010"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot is earlier than 1:2.2.10-4.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140790019"/>
<criterion comment="dovecot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790006"/>
</criteria>
<criteria operator="AND">
<criterion comment="dovecot-pgsql is earlier than 1:2.2.10-4.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140790022"/>
<criterion comment="dovecot-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140790014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140827" version="601">
<metadata>
<title>RHSA-2014:0827: tomcat security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0827-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0827.html" source="RHSA"/>
<reference ref_id="CVE-2014-0075" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0075.html" source="CVE"/>
<reference ref_id="CVE-2014-0096" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0096.html" source="CVE"/>
<reference ref_id="CVE-2014-0099" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0099.html" source="CVE"/>
<description>Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was discovered that Apache Tomcat did not limit the length of chunk
sizes when using chunked transfer encoding. A remote attacker could use
this flaw to perform a denial of service attack against Tomcat by streaming
an unlimited quantity of data, leading to excessive consumption of server
resources. (CVE-2014-0075)
It was found that Apache Tomcat did not check for overflowing values when
parsing request content length headers. A remote attacker could use this
flaw to perform an HTTP request smuggling attack on a Tomcat server located
behind a reverse proxy that processed the content length header correctly.
(CVE-2014-0099)
It was found that the org.apache.catalina.servlets.DefaultServlet
implementation in Apache Tomcat allowed the definition of XML External
Entities (XXEs) in provided XSLTs. A malicious application could use this
to circumvent intended security restrictions to disclose sensitive
information. (CVE-2014-0096)
The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product
Security.
All Tomcat 7 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. Tomcat must be
restarted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-02"/>
<updated date="2014-07-02"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0075.html">CVE-2014-0075</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0096.html">CVE-2014-0096</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0099.html">CVE-2014-0099</cve>
<bugzilla href="https://bugzilla.redhat.com/1072776" id="1072776">CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088342" id="1088342">CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102030" id="1102030">CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="tomcat-el-2.2-api is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827019"/>
<criterion comment="tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686024"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827005"/>
<criterion comment="tomcat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686006"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-lib is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827017"/>
<criterion comment="tomcat-lib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686010"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsp-2.2-api is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827021"/>
<criterion comment="tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686018"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-docs-webapp is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827007"/>
<criterion comment="tomcat-docs-webapp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686014"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-admin-webapps is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827023"/>
<criterion comment="tomcat-admin-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686016"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsvc is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827011"/>
<criterion comment="tomcat-jsvc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686022"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-webapps is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827013"/>
<criterion comment="tomcat-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686008"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-servlet-3.0-api is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827015"/>
<criterion comment="tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686020"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-javadoc is earlier than 0:7.0.42-6.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140827009"/>
<criterion comment="tomcat-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140861" version="601">
<metadata>
<title>RHSA-2014:0861: lzo security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0861-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0861.html" source="RHSA"/>
<reference ref_id="CVE-2014-4607" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4607.html" source="CVE"/>
<description>LZO is a portable lossless data compression library written in ANSI C.
An integer overflow flaw was found in the way the lzo library decompressed
certain archives compressed with the LZO algorithm. An attacker could
create a specially crafted LZO-compressed input that, when decompressed by
an application using the lzo library, would cause that application to crash
or, potentially, execute arbitrary code. (CVE-2014-4607)
Red Hat would like to thank Don A. Bailey from Lab Mouse Security for
reporting this issue.
All lzo users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all services linked to the lzo library must be restarted or the
system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-09"/>
<updated date="2014-07-09"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4607.html">CVE-2014-4607</cve>
<bugzilla href="https://bugzilla.redhat.com/1112418" id="1112418">CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="lzo is earlier than 0:2.03-3.1.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140861005"/>
<criterion comment="lzo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140861006"/>
</criteria>
<criteria operator="AND">
<criterion comment="lzo-devel is earlier than 0:2.03-3.1.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140861009"/>
<criterion comment="lzo-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140861010"/>
</criteria>
<criteria operator="AND">
<criterion comment="lzo-minilzo is earlier than 0:2.03-3.1.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20140861007"/>
<criterion comment="lzo-minilzo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140861008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="lzo is earlier than 0:2.06-6.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140861015"/>
<criterion comment="lzo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140861006"/>
</criteria>
<criteria operator="AND">
<criterion comment="lzo-devel is earlier than 0:2.06-6.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140861017"/>
<criterion comment="lzo-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140861010"/>
</criteria>
<criteria operator="AND">
<criterion comment="lzo-minilzo is earlier than 0:2.06-6.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20140861016"/>
<criterion comment="lzo-minilzo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140861008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140867" version="601">
<metadata>
<title>RHSA-2014:0867: samba security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0867-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0867.html" source="RHSA"/>
<reference ref_id="CVE-2014-0178" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0178.html" source="CVE"/>
<reference ref_id="CVE-2014-0244" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0244.html" source="CVE"/>
<reference ref_id="CVE-2014-3493" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3493.html" source="CVE"/>
<description>Samba is an open-source implementation of the Server Message Block (SMB) or
Common Internet File System (CIFS) protocol, which allows PC-compatible
machines to share files, printers, and other information.
A denial of service flaw was found in the way the sys_recvfile() function
of nmbd, the NetBIOS message block daemon, processed non-blocking sockets.
An attacker could send a specially crafted packet that, when processed,
would cause nmbd to enter an infinite loop and consume an excessive amount
of CPU time. (CVE-2014-0244)
A flaw was found in the way Samba created responses for certain
authenticated client requests when a shadow-copy VFS module was enabled.
An attacker able to send an authenticated request could use this flaw to
disclose limited portions of memory per each request. (CVE-2014-0178)
It was discovered that smbd, the Samba file server daemon, did not properly
handle certain files that were stored on the disk and used a valid Unicode
character in the file name. An attacker able to send an authenticated
non-Unicode request that attempted to read such a file could cause smbd to
crash. (CVE-2014-3493)
Red Hat would like to thank Daniel Berteaud of FIREWALL-SERVICES SARL for
reporting CVE-2014-0244, and the Samba project for reporting CVE-2014-0178
and CVE-2014-3493. The Samba project acknowledges Christof Schmitt as the
original reporter of CVE-2014-0178, and Simon Arlott as the original
reporter of CVE-2014-3493.
All Samba users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the smb service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-09"/>
<updated date="2014-07-09"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0178.html">CVE-2014-0178</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0244.html">CVE-2014-0244</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3493.html">CVE-2014-3493</cve>
<bugzilla href="https://bugzilla.redhat.com/1097815" id="1097815">CVE-2014-0244 samba: nmbd denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101992" id="1101992">CVE-2014-0178 samba: Uninitialized memory exposure</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108748" id="1108748">CVE-2014-3493 samba: smbd unicode path names denial of service</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="samba-winbind-modules is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867015"/>
<criterion comment="samba-winbind-modules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867016"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-clients is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867017"/>
<criterion comment="samba-winbind-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867018"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-pidl is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867021"/>
<criterion comment="samba-pidl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867022"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867005"/>
<criterion comment="samba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867006"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-vfs-glusterfs is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867043"/>
<criterion comment="samba-vfs-glusterfs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867044"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-client is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867041"/>
<criterion comment="samba-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867042"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867025"/>
<criterion comment="libwbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867026"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867039"/>
<criterion comment="samba-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsmbclient is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867037"/>
<criterion comment="libsmbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867038"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test-devel is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867029"/>
<criterion comment="samba-test-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867030"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867027"/>
<criterion comment="samba-dc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867028"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc-libs is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867013"/>
<criterion comment="samba-dc-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867014"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient-devel is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867007"/>
<criterion comment="libwbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867008"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-devel is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867019"/>
<criterion comment="samba-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867020"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867035"/>
<criterion comment="samba-winbind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867036"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-common is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867033"/>
<criterion comment="samba-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867034"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-krb5-locator is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867011"/>
<criterion comment="samba-winbind-krb5-locator is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867012"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-python is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867009"/>
<criterion comment="samba-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsmbclient-devel is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867031"/>
<criterion comment="libsmbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867032"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-libs is earlier than 0:4.1.1-35.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140867023"/>
<criterion comment="samba-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867024"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140889" version="601">
<metadata>
<title>RHSA-2014:0889: java-1.7.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0889-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0889.html" source="RHSA"/>
<reference ref_id="CVE-2014-2483" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2483.html" source="CVE"/>
<reference ref_id="CVE-2014-2490" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2490.html" source="CVE"/>
<reference ref_id="CVE-2014-4209" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4209.html" source="CVE"/>
<reference ref_id="CVE-2014-4216" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4216.html" source="CVE"/>
<reference ref_id="CVE-2014-4218" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4218.html" source="CVE"/>
<reference ref_id="CVE-2014-4219" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4219.html" source="CVE"/>
<reference ref_id="CVE-2014-4221" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4221.html" source="CVE"/>
<reference ref_id="CVE-2014-4223" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4223.html" source="CVE"/>
<reference ref_id="CVE-2014-4244" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4244.html" source="CVE"/>
<reference ref_id="CVE-2014-4252" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4252.html" source="CVE"/>
<reference ref_id="CVE-2014-4262" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4262.html" source="CVE"/>
<reference ref_id="CVE-2014-4263" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4263.html" source="CVE"/>
<reference ref_id="CVE-2014-4266" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4266.html" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
It was discovered that the Hotspot component in OpenJDK did not properly
verify bytecode from the class files. An untrusted Java application or
applet could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-4216, CVE-2014-4219)
A format string flaw was discovered in the Hotspot component event logger
in OpenJDK. An untrusted Java application or applet could use this flaw to
crash the Java Virtual Machine or, potentially, execute arbitrary code with
the privileges of the Java Virtual Machine. (CVE-2014-2490)
Multiple improper permission check issues were discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2014-4223,
CVE-2014-4262, CVE-2014-2483)
Multiple flaws were discovered in the JMX, Libraries, Security, and
Serviceability components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass certain Java sandbox restrictions.
(CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266)
It was discovered that the RSA algorithm in the Security component in
OpenJDK did not sufficiently perform blinding while performing operations
that were using private keys. An attacker able to measure timing
differences of those operations could possibly leak information about the
used keys. (CVE-2014-4244)
The Diffie-Hellman (DH) key exchange algorithm implementation in the
Security component in OpenJDK failed to validate public DH parameters
properly. This could cause OpenJDK to accept and use weak parameters,
allowing an attacker to recover the negotiated key. (CVE-2014-4263)
The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat
Product Security.
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-16"/>
<updated date="2014-07-16"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2483.html">CVE-2014-2483</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2490.html">CVE-2014-2490</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4209.html">CVE-2014-4209</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4216.html">CVE-2014-4216</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4218.html">CVE-2014-4218</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4219.html">CVE-2014-4219</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4221.html">CVE-2014-4221</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4223.html">CVE-2014-4223</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4244.html">CVE-2014-4244</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4252.html">CVE-2014-4252</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4262.html">CVE-2014-4262</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4263.html">CVE-2014-4263</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4266.html">CVE-2014-4266</cve>
<bugzilla href="https://bugzilla.redhat.com/1075795" id="1075795">CVE-2014-4262 OpenJDK: AtomicReferenceFieldUpdater missing primitive type check (Libraries, 8039520)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119475" id="1119475">CVE-2014-4244 OpenJDK: RSA blinding issues (Security, 8031346)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119476" id="1119476">CVE-2014-4263 OpenJDK: insufficient Diffie-Hellman public key validation (Security, 8037162)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119483" id="1119483">CVE-2014-4221 OpenJDK: MethodHandles.Lookup insufficient modifiers checks (Libraries, 8035788)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119596" id="1119596">CVE-2014-4219 OpenJDK: Bytecode verification does not prevent ctor calls to this() and super() (Hotspot, 8035119)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119597" id="1119597">CVE-2014-2490 OpenJDK: Event logger format string vulnerability (Hotspot, 8037076)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119600" id="1119600">CVE-2014-4216 OpenJDK: Incorrect generic signature attribute parsing (Hotspot, 8037076)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119602" id="1119602">CVE-2014-4223 OpenJDK: Incorrect handling of invocations with exhausted ranks (Libraries, 8035793)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119608" id="1119608">CVE-2014-4209 OpenJDK: SubjectDelegator protection insufficient (JMX, 8029755)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119611" id="1119611">CVE-2014-4218 OpenJDK: Clone interfaces passed to proxy methods (Libraries, 8035009)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119613" id="1119613">CVE-2014-4252 OpenJDK: Prevent instantiation of service with non-public constructor (Security, 8035004)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119615" id="1119615">CVE-2014-4266 OpenJDK: InfoBuilder incorrect return values (Serviceability, 8033301)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119626" id="1119626">CVE-2014-2483 OpenJDK: Restrict use of privileged annotations (Libraries, 8034985)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.65-2.5.1.2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140889005"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.65-2.5.1.2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140889011"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.65-2.5.1.2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140889013"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.65-2.5.1.2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140889009"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.65-2.5.1.2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140889007"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889019"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889024"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889027"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889022"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889020"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889026"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.65-2.5.1.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140889023"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140907" version="601">
<metadata>
<title>RHSA-2014:0907: java-1.6.0-openjdk security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0907-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0907.html" source="RHSA"/>
<reference ref_id="CVE-2014-2490" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2490.html" source="CVE"/>
<reference ref_id="CVE-2014-4209" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4209.html" source="CVE"/>
<reference ref_id="CVE-2014-4216" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4216.html" source="CVE"/>
<reference ref_id="CVE-2014-4218" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4218.html" source="CVE"/>
<reference ref_id="CVE-2014-4219" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4219.html" source="CVE"/>
<reference ref_id="CVE-2014-4244" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4244.html" source="CVE"/>
<reference ref_id="CVE-2014-4252" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4252.html" source="CVE"/>
<reference ref_id="CVE-2014-4262" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4262.html" source="CVE"/>
<reference ref_id="CVE-2014-4263" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4263.html" source="CVE"/>
<reference ref_id="CVE-2014-4266" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4266.html" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
It was discovered that the Hotspot component in OpenJDK did not properly
verify bytecode from the class files. An untrusted Java application or
applet could possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2014-4216, CVE-2014-4219)
A format string flaw was discovered in the Hotspot component event logger
in OpenJDK. An untrusted Java application or applet could use this flaw to
crash the Java Virtual Machine or, potentially, execute arbitrary code with
the privileges of the Java Virtual Machine. (CVE-2014-2490)
An improper permission check issue was discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could use
this flaw to bypass Java sandbox restrictions. (CVE-2014-4262)
Multiple flaws were discovered in the JMX, Libraries, Security, and
Serviceability components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass certain Java sandbox restrictions.
(CVE-2014-4209, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266)
It was discovered that the RSA algorithm in the Security component in
OpenJDK did not sufficiently perform blinding while performing operations
that were using private keys. An attacker able to measure timing
differences of those operations could possibly leak information about the
used keys. (CVE-2014-4244)
The Diffie-Hellman (DH) key exchange algorithm implementation in the
Security component in OpenJDK failed to validate public DH parameters
properly. This could cause OpenJDK to accept and use weak parameters,
allowing an attacker to recover the negotiated key. (CVE-2014-4263)
The CVE-2014-4262 issue was discovered by Florian Weimer of Red Hat
Product Security.
This update also fixes the following bug:
* Prior to this update, an application accessing an unsynchronized HashMap
could potentially enter an infinite loop and consume an excessive amount of
CPU resources. This update resolves this issue. (BZ#1115580)
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-21"/>
<updated date="2014-07-21"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2490.html">CVE-2014-2490</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4209.html">CVE-2014-4209</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4216.html">CVE-2014-4216</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4218.html">CVE-2014-4218</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4219.html">CVE-2014-4219</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4244.html">CVE-2014-4244</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4252.html">CVE-2014-4252</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4262.html">CVE-2014-4262</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4263.html">CVE-2014-4263</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4266.html">CVE-2014-4266</cve>
<bugzilla href="https://bugzilla.redhat.com/1075795" id="1075795">CVE-2014-4262 OpenJDK: AtomicReferenceFieldUpdater missing primitive type check (Libraries, 8039520)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119475" id="1119475">CVE-2014-4244 OpenJDK: RSA blinding issues (Security, 8031346)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119476" id="1119476">CVE-2014-4263 OpenJDK: insufficient Diffie-Hellman public key validation (Security, 8037162)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119596" id="1119596">CVE-2014-4219 OpenJDK: Bytecode verification does not prevent ctor calls to this() and super() (Hotspot, 8035119)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119597" id="1119597">CVE-2014-2490 OpenJDK: Event logger format string vulnerability (Hotspot, 8037076)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119600" id="1119600">CVE-2014-4216 OpenJDK: Incorrect generic signature attribute parsing (Hotspot, 8037076)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119608" id="1119608">CVE-2014-4209 OpenJDK: SubjectDelegator protection insufficient (JMX, 8029755)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119611" id="1119611">CVE-2014-4218 OpenJDK: Clone interfaces passed to proxy methods (Libraries, 8035009)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119613" id="1119613">CVE-2014-4252 OpenJDK: Prevent instantiation of service with non-public constructor (Security, 8035004)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119615" id="1119615">CVE-2014-4266 OpenJDK: InfoBuilder incorrect return values (Serviceability, 8033301)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140907002"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140907010"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140907008"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140907006"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140907004"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140907016"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140907022"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140907018"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140907024"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140907020"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140907030"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140907034"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140907032"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140907031"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140907033"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140914" version="602">
<metadata>
<title>RHSA-2014:0914: libvirt security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0914-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0914.html" source="RHSA"/>
<reference ref_id="CVE-2014-0179" ref_url="https://access.redhat.com/security/cve/CVE-2014-0179" source="CVE"/>
<reference ref_id="CVE-2014-5177" ref_url="https://access.redhat.com/security/cve/CVE-2014-5177" source="CVE"/>
<description>The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of
virtualized systems.
It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML
documents using the libxml2 library, in which case all XML entities in the
parsed documents are expanded. A user able to force libvirtd to parse an
XML document with an entity pointing to a file could use this flaw to read
the contents of that file; parsing an XML document with an entity pointing
to a special file that blocks on read access could cause libvirtd to hang
indefinitely, resulting in a denial of service on the system.
(CVE-2014-0179)
Red Hat would like to thank the upstream Libvirt project for reporting this
issue. Upstream acknowledges Daniel P. Berrange and Richard Jones as the
original reporters.
This update also fixes the following bugs:
* A previous update of the libvirt package introduced an error; a
SIG_SETMASK argument was incorrectly replaced by a SIG_BLOCK argument after
the poll() system call. Consequently, the SIGCHLD signal could be
permanently blocked, which caused signal masks to not return to their
original values and defunct processes to be generated. With this update,
the original signal masks are restored and defunct processes are no longer
generated. (BZ#1112689)
* An attempt to start a domain that did not exist caused network filters to
be locked for read-only access. As a consequence, when trying to gain
read-write access, a deadlock occurred. This update applies a patch to fix
this bug and an attempt to start a non-existent domain no longer causes a
deadlock in the described scenario. (BZ#1112690)
* Previously, the libvirtd daemon was binding only to addresses that were
configured on certain network interfaces. When libvirtd started before the
IPv4 addresses had been configured, libvirtd listened only on the IPv6
addresses. The daemon has been modified to not require an address to be
configured when binding to a wildcard address, such as "0.0.0.0" or "::".
As a result, libvirtd binds to both IPv4 and IPv6 addresses as expected.
(BZ#1112692)
Users of libvirt are advised to upgrade to these updated packages, which
fix these bugs. After installing the updated packages, libvirtd will be
restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-22"/>
<updated date="2014-07-22"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0179">CVE-2014-0179</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5177">CVE-2014-5177</cve>
<bugzilla href="https://bugzilla.redhat.com/1088290" id="1088290">CVE-2014-0179 CVE-2014-5177 libvirt: unsafe parsing of XML documents allows libvirt DoS and/or arbitrary file read</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112689" id="1112689">use of tls with libvirt.so can leave zombie processes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112690" id="1112690">nwfilter deadlock</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112692" id="1112692">libvirt binds only to ipv6</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libvirt is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914005"/>
<criterion comment="libvirt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-client is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914033"/>
<criterion comment="libvirt-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914034"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914015"/>
<criterion comment="libvirt-daemon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914016"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914007"/>
<criterion comment="libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914021"/>
<criterion comment="libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914022"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914027"/>
<criterion comment="libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914028"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914025"/>
<criterion comment="libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914009"/>
<criterion comment="libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914019"/>
<criterion comment="libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914037"/>
<criterion comment="libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914039"/>
<criterion comment="libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914011"/>
<criterion comment="libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914017"/>
<criterion comment="libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914043"/>
<criterion comment="libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914044"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914029"/>
<criterion comment="libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914030"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-devel is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914023"/>
<criterion comment="libvirt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914024"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-docs is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914031"/>
<criterion comment="libvirt-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914041"/>
<criterion comment="libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914042"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914013"/>
<criterion comment="libvirt-login-shell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914014"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-python is earlier than 0:1.1.1-29.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20140914035"/>
<criterion comment="libvirt-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914036"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140916" version="601">
<metadata>
<title>RHSA-2014:0916: nss and nspr security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:0916-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0916.html" source="RHSA"/>
<reference ref_id="CVE-2014-1544" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1544.html" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities.
A race condition was found in the way NSS verified certain certificates.
A remote attacker could use this flaw to crash an application using NSS or,
possibly, execute arbitrary code with the privileges of the user running
that application. (CVE-2014-1544)
Red Hat would like to thank the Mozilla project for reporting
CVE-2014-1544. Upstream acknowledges Tyson Smith and Jesse Schwartzentruber
as the original reporters.
Users of NSS and NSPR are advised to upgrade to these updated packages,
which correct this issue. After installing this update, applications using
NSS or NSPR must be restarted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-22"/>
<updated date="2014-07-22"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1544.html">CVE-2014-1544</cve>
<bugzilla href="https://bugzilla.redhat.com/1116198" id="1116198">CVE-2014-1544 nss: Race-condition in certificate verification can lead to Remote code execution (MFSA 2014-63)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.15.3-7.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140916002"/>
<criterion comment="nss is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916003"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.15.3-7.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140916004"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916005"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.15.3-7.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140916006"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916007"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.15.3-7.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140916008"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916009"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr is earlier than 0:4.10.6-1.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140916010"/>
<criterion comment="nspr is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916011"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr-devel is earlier than 0:4.10.6-1.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140916012"/>
<criterion comment="nspr-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916013"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.15.4-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916018"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.15.4-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916022"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.15.4-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916020"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.15.4-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916024"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.15.4-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916026"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr is earlier than 0:4.10.6-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916028"/>
<criterion comment="nspr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr-devel is earlier than 0:4.10.6-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140916030"/>
<criterion comment="nspr-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916031"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140919" version="601">
<metadata>
<title>RHSA-2014:0919: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:0919-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0919.html" source="RHSA"/>
<reference ref_id="CVE-2014-1547" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1547.html" source="CVE"/>
<reference ref_id="CVE-2014-1555" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1555.html" source="CVE"/>
<reference ref_id="CVE-2014-1556" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1556.html" source="CVE"/>
<reference ref_id="CVE-2014-1557" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1557.html" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2014-1547, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, David Keeler, Byron Campen, Jethro
Beekman, Patrick Cozzi, and Mozilla community member John as the original
reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 24.7.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 24.7.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-22"/>
<updated date="2014-07-22"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1547.html">CVE-2014-1547</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1555.html">CVE-2014-1555</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1556.html">CVE-2014-1556</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1557.html">CVE-2014-1557</cve>
<bugzilla href="https://bugzilla.redhat.com/1121464" id="1121464">CVE-2014-1547 Mozilla: Miscellaneous memory safety hazards (rv:24.7) (MFSA 2014-56)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121476" id="1121476">CVE-2014-1555 Mozilla: Use-after-free with FireOnStateChange event (MFSA 2014-61)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121478" id="1121478">CVE-2014-1556 Mozilla: Exploitable WebGL crash with Cesium JavaScript library (MFSA 2014-62)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121479" id="1121479">CVE-2014-1557 Mozilla: Crash in Skia library when scaling high quality images (MFSA 2014-64)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:24.7.0-1.el5_10" test_ref="oval:com.redhat.rhsa:tst:20140919002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:24.7.0-1.el6_5" test_ref="oval:com.redhat.rhsa:tst:20140919008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:24.7.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140919014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:24.7.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140919015"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:24.7.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140919017"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140921" version="601">
<metadata>
<title>RHSA-2014:0921: httpd security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0921-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0921.html" source="RHSA"/>
<reference ref_id="CVE-2013-4352" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4352.html" source="CVE"/>
<reference ref_id="CVE-2014-0117" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0117.html" source="CVE"/>
<reference ref_id="CVE-2014-0118" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0118.html" source="CVE"/>
<reference ref_id="CVE-2014-0226" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0226.html" source="CVE"/>
<reference ref_id="CVE-2014-0231" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0231.html" source="CVE"/>
<description>The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
A race condition flaw, leading to heap-based buffer overflows, was found in
the mod_status httpd module. A remote attacker able to access a status page
served by mod_status on a server using a threaded Multi-Processing Module
(MPM) could send a specially crafted request that would cause the httpd
child process to crash or, possibly, allow the attacker to execute
arbitrary code with the privileges of the "apache" user. (CVE-2014-0226)
A NULL pointer dereference flaw was found in the mod_cache httpd module.
A malicious HTTP server could cause the httpd child process to crash when
the Apache HTTP Server was used as a forward proxy with caching.
(CVE-2013-4352)
A denial of service flaw was found in the mod_proxy httpd module. A remote
attacker could send a specially crafted request to a server configured as a
reverse proxy using a threaded Multi-Processing Modules (MPM) that would
cause the httpd child process to crash. (CVE-2014-0117)
A denial of service flaw was found in the way httpd's mod_deflate module
handled request body decompression (configured via the "DEFLATE" input
filter). A remote attacker able to send a request whose body would be
decompressed could use this flaw to consume an excessive amount of system
memory and CPU on the target system. (CVE-2014-0118)
A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input.
A remote attacker could submit a specially crafted request that would cause
the httpd child process to hang indefinitely. (CVE-2014-0231)
All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd daemon will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-23"/>
<updated date="2014-07-23"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4352.html">CVE-2013-4352</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0117.html">CVE-2014-0117</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0118.html">CVE-2014-0118</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0226.html">CVE-2014-0226</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0231.html">CVE-2014-0231</cve>
<bugzilla href="https://bugzilla.redhat.com/1120596" id="1120596">CVE-2014-0231 httpd: mod_cgid denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120599" id="1120599">CVE-2014-0117 httpd: mod_proxy denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120601" id="1120601">CVE-2014-0118 httpd: mod_deflate denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120603" id="1120603">CVE-2014-0226 httpd: mod_status heap-based buffer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120604" id="1120604">CVE-2013-4352 httpd: mod_cache NULL pointer dereference crash</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="httpd is earlier than 0:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921005"/>
<criterion comment="httpd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921006"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-devel is earlier than 0:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921013"/>
<criterion comment="httpd-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921014"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-manual is earlier than 0:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921017"/>
<criterion comment="httpd-manual is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921018"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-tools is earlier than 0:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921011"/>
<criterion comment="httpd-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_ldap is earlier than 0:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921009"/>
<criterion comment="mod_ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_proxy_html is earlier than 1:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921007"/>
<criterion comment="mod_proxy_html is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_session is earlier than 0:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921015"/>
<criterion comment="mod_session is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921016"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_ssl is earlier than 1:2.4.6-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20140921019"/>
<criterion comment="mod_ssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140923" version="601">
<metadata>
<title>RHSA-2014:0923: kernel security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0923-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0923.html" source="RHSA"/>
<reference ref_id="CVE-2014-4699" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4699.html" source="CVE"/>
<reference ref_id="CVE-2014-4943" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4943.html" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's ptrace subsystem allowed a traced
process' instruction pointer to be set to a non-canonical memory address
without forcing the non-sysret code path when returning to user space.
A local, unprivileged user could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2014-4699,
Important)
Note: The CVE-2014-4699 issue only affected systems using an Intel CPU.
* A flaw was found in the way the pppol2tp_setsockopt() and
pppol2tp_getsockopt() functions in the Linux kernel's PPP over L2TP
implementation handled requests with a non-SOL_PPPOL2TP socket option
level. A local, unprivileged user could use this flaw to escalate their
privileges on the system. (CVE-2014-4943, Important)
Red Hat would like to thank Andy Lutomirski for reporting CVE-2014-4699,
and Sasha Levin for reporting CVE-2014-4943.
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-23"/>
<updated date="2014-07-23"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4699.html">CVE-2014-4699</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4943.html">CVE-2014-4943</cve>
<bugzilla href="https://bugzilla.redhat.com/1115927" id="1115927">CVE-2014-4699 kernel: x86_64: ptrace: sysret to non-canonical address</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119458" id="1119458">CVE-2014-4943 kernel: net: pppol2tp: level handling in pppol2tp_[s,g]etsockopt()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923019"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923017"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923009"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923013"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923015"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923011"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923021"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.4.4.el7" test_ref="oval:com.redhat.rhsa:tst:20140923023"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20140927" version="602">
<metadata>
<title>RHSA-2014:0927: qemu-kvm security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:0927-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-0927.html" source="RHSA"/>
<reference ref_id="CVE-2013-4148" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4148.html" source="CVE"/>
<reference ref_id="CVE-2013-4149" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4149.html" source="CVE"/>
<reference ref_id="CVE-2013-4150" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4150.html" source="CVE"/>
<reference ref_id="CVE-2013-4151" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4151.html" source="CVE"/>
<reference ref_id="CVE-2013-4527" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4527.html" source="CVE"/>
<reference ref_id="CVE-2013-4529" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4529.html" source="CVE"/>
<reference ref_id="CVE-2013-4535" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4535.html" source="CVE"/>
<reference ref_id="CVE-2013-4536" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4536.html" source="CVE"/>
<reference ref_id="CVE-2013-4541" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4541.html" source="CVE"/>
<reference ref_id="CVE-2013-4542" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4542.html" source="CVE"/>
<reference ref_id="CVE-2013-6399" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-6399.html" source="CVE"/>
<reference ref_id="CVE-2014-0182" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0182.html" source="CVE"/>
<reference ref_id="CVE-2014-0222" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0222.html" source="CVE"/>
<reference ref_id="CVE-2014-0223" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0223.html" source="CVE"/>
<reference ref_id="CVE-2014-3461" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3461.html" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
Two integer overflow flaws were found in the QEMU block driver for QCOW
version 1 disk images. A user able to alter the QEMU disk image files
loaded by a guest could use either of these flaws to corrupt QEMU process
memory on the host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2014-0222, CVE-2014-0223)
Multiple buffer overflow, input validation, and out-of-bounds write flaws
were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet
drivers of QEMU handled state loading after migration. A user able to alter
the savevm data (either on the disk or over the wire during migration)
could use either of these flaws to corrupt QEMU process memory on the
(destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
(CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527,
CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542,
CVE-2013-6399, CVE-2014-0182, CVE-2014-3461)
These issues were discovered by Michael S. Tsirkin, Anthony Liguori and
Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150,
CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536,
CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and
CVE-2014-3461.
This update also fixes the following bugs:
* Previously, QEMU did not free pre-allocated zero clusters correctly and
the clusters under some circumstances leaked. With this update,
pre-allocated zero clusters are freed appropriately and the cluster leaks
no longer occur. (BZ#1110188)
* Prior to this update, the QEMU command interface did not properly handle
resizing of cache memory during guest migration, causing QEMU to terminate
unexpectedly with a segmentation fault and QEMU to fail. This update fixes
the related code and QEMU no longer crashes in the described situation.
(BZ#1110191)
* Previously, when a guest device was hot unplugged, QEMU correctly removed
the corresponding file descriptor watch but did not re-create it after the
device was re-connected. As a consequence, the guest became unable to
receive any data from the host over this device. With this update, the file
descriptor's watch is re-created and the guest in the above scenario can
communicate with the host as expected. (BZ#1110219)
* Previously, the QEMU migration code did not account for the gaps caused
by hot unplugged devices and thus expected more memory to be transferred
during migrations. As a consequence, guest migration failed to complete
after multiple devices were hot unplugged. In addition, the migration info
text displayed erroneous values for the "remaining ram" item. With this
update, QEMU calculates memory after a device has been unplugged correctly,
and any subsequent guest migrations proceed as expected. (BZ#1110189)
All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-07-23"/>
<updated date="2014-07-23"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4148.html">CVE-2013-4148</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4149.html">CVE-2013-4149</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4150.html">CVE-2013-4150</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4151.html">CVE-2013-4151</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4527.html">CVE-2013-4527</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4529.html">CVE-2013-4529</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4535.html">CVE-2013-4535</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4536.html">CVE-2013-4536</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4541.html">CVE-2013-4541</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4542.html">CVE-2013-4542</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-6399.html">CVE-2013-6399</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0182.html">CVE-2014-0182</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0222.html">CVE-2014-0222</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0223.html">CVE-2014-0223</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3461.html">CVE-2014-3461</cve>
<bugzilla href="https://bugzilla.redhat.com/1066334" id="1066334">CVE-2013-4148 qemu: virtio-net: buffer overflow on invalid state load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066337" id="1066337">CVE-2013-4149 qemu: virtio-net: out-of-bounds buffer write on load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066340" id="1066340">CVE-2013-4150 qemu: virtio-net: out-of-bounds buffer write on invalid state load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066342" id="1066342">CVE-2013-4151 qemu: virtio: out-of-bounds buffer write on invalid state load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066347" id="1066347">CVE-2013-4527 qemu: hpet: buffer overrun on invalid state load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066353" id="1066353">CVE-2013-4529 qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066361" id="1066361">CVE-2013-6399 qemu: virtio: buffer overrun on incoming migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066382" id="1066382">CVE-2013-4542 qemu: virtio-scsi: buffer overrun on invalid state load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066384" id="1066384">CVE-2013-4541 qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066401" id="1066401">CVE-2013-4535 CVE-2013-4536 qemu: virtio: insufficient validation of num_sg when mapping</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088986" id="1088986">CVE-2014-0182 qemu: virtio: out-of-bounds buffer write on state load with invalid config_len</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1096821" id="1096821">CVE-2014-3461 Qemu: usb: fix up post load checks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097216" id="1097216">CVE-2014-0222 Qemu: qcow1: validate L2 table size to avoid integer overflows</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097222" id="1097222">CVE-2014-0223 Qemu: qcow1: validate image size to avoid out-of-bounds memory access</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110188" id="1110188">qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110189" id="1110189">migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110191" id="1110191">Reduce the migrate cache size during migration causes qemu segment fault</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110219" id="1110219">Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927011"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927015"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927013"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927007"/>
<criterion comment="qemu-guest-agent is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704012"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927009"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927005"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927019"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20140927017"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141008" version="602">
<metadata>
<title>RHSA-2014:1008: samba security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1008-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1008.html" source="RHSA"/>
<reference ref_id="CVE-2014-3560" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3560.html" source="CVE"/>
<description>Samba is an open-source implementation of the Server Message Block (SMB) or
Common Internet File System (CIFS) protocol, which allows PC-compatible
machines to share files, printers, and other information.
A heap-based buffer overflow flaw was found in Samba's NetBIOS message
block daemon (nmbd). An attacker on the local network could use this flaw
to send specially crafted packets that, when processed by nmbd, could
possibly lead to arbitrary code execution with root privileges.
(CVE-2014-3560)
This update also fixes the following bug:
* Prior to this update, Samba incorrectly used the O_TRUNC flag when using
the open(2) system call to access the contents of a file that was already
opened by a different process, causing the file's previous contents to be
removed. With this update, the O_TRUNC flag is no longer used in the above
scenario, and file corruption no longer occurs. (BZ#1115490)
All Samba users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the smb service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-05"/>
<updated date="2014-08-05"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3560.html">CVE-2014-3560</cve>
<bugzilla href="https://bugzilla.redhat.com/1115490" id="1115490">Samba file corruption as a result of failed lock check</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libsmbclient is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008033"/>
<criterion comment="libsmbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsmbclient-devel is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008041"/>
<criterion comment="libsmbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008007"/>
<criterion comment="libwbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient-devel is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008039"/>
<criterion comment="libwbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867008"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008005"/>
<criterion comment="samba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867006"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-client is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008015"/>
<criterion comment="samba-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867042"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-common is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008031"/>
<criterion comment="samba-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867034"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008027"/>
<criterion comment="samba-dc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867028"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc-libs is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008023"/>
<criterion comment="samba-dc-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867014"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-devel is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008019"/>
<criterion comment="samba-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867020"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-libs is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008009"/>
<criterion comment="samba-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867024"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-pidl is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008017"/>
<criterion comment="samba-pidl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867022"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-python is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008029"/>
<criterion comment="samba-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867010"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008035"/>
<criterion comment="samba-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867040"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test-devel is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008021"/>
<criterion comment="samba-test-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867030"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-vfs-glusterfs is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008043"/>
<criterion comment="samba-vfs-glusterfs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867044"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008011"/>
<criterion comment="samba-winbind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867036"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-clients is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008013"/>
<criterion comment="samba-winbind-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867018"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-krb5-locator is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008037"/>
<criterion comment="samba-winbind-krb5-locator is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867012"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-modules is earlier than 0:4.1.1-37.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141008025"/>
<criterion comment="samba-winbind-modules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141011" version="602">
<metadata>
<title>RHSA-2014:1011: resteasy-base security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1011-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1011.html" source="RHSA"/>
<reference ref_id="CVE-2014-3490" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3490.html" source="CVE"/>
<description>RESTEasy contains a JBoss project that provides frameworks to help build
RESTful Web Services and RESTful Java applications. It is a fully certified
and portable implementation of the JAX-RS specification.
It was found that the fix for CVE-2012-0818 was incomplete: external
parameter entities were not disabled when the
resteasy.document.expand.entity.references parameter was set to false.
A remote attacker able to send XML requests to a RESTEasy endpoint could
use this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2014-3490)
This issue was discovered by David Jorm of Red Hat Product Security.
All resteasy-base users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-06"/>
<updated date="2014-08-29"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3490.html">CVE-2014-3490</cve>
<bugzilla href="https://bugzilla.redhat.com/1107901" id="1107901">CVE-2014-3490 RESTEasy: XXE via parameter entities</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="resteasy-base is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011005"/>
<criterion comment="resteasy-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011006"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-atom-provider is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011009"/>
<criterion comment="resteasy-base-atom-provider is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011010"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-jackson-provider is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011017"/>
<criterion comment="resteasy-base-jackson-provider is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011018"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-javadoc is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011021"/>
<criterion comment="resteasy-base-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011022"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-jaxb-provider is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011025"/>
<criterion comment="resteasy-base-jaxb-provider is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011026"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-jaxrs is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011023"/>
<criterion comment="resteasy-base-jaxrs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011024"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-jaxrs-all is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011011"/>
<criterion comment="resteasy-base-jaxrs-all is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011012"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-jaxrs-api is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011019"/>
<criterion comment="resteasy-base-jaxrs-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011020"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-jettison-provider is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011013"/>
<criterion comment="resteasy-base-jettison-provider is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011014"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-providers-pom is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011015"/>
<criterion comment="resteasy-base-providers-pom is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011016"/>
</criteria>
<criteria operator="AND">
<criterion comment="resteasy-base-tjws is earlier than 0:2.3.5-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141011007"/>
<criterion comment="resteasy-base-tjws is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141011008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141013" version="601">
<metadata>
<title>RHSA-2014:1013: php security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1013-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1013.html" source="RHSA"/>
<reference ref_id="CVE-2013-7345" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-7345.html" source="CVE"/>
<reference ref_id="CVE-2014-0207" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0207.html" source="CVE"/>
<reference ref_id="CVE-2014-0237" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0237.html" source="CVE"/>
<reference ref_id="CVE-2014-0238" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0238.html" source="CVE"/>
<reference ref_id="CVE-2014-3479" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3479.html" source="CVE"/>
<reference ref_id="CVE-2014-3480" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3480.html" source="CVE"/>
<reference ref_id="CVE-2014-3487" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3487.html" source="CVE"/>
<reference ref_id="CVE-2014-3515" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3515.html" source="CVE"/>
<reference ref_id="CVE-2014-4049" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4049.html" source="CVE"/>
<reference ref_id="CVE-2014-4721" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4721.html" source="CVE"/>
<description>PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server. PHP's fileinfo module provides functions used to identify a
particular file according to the type of data contained by the file.
A denial of service flaw was found in the File Information (fileinfo)
extension rules for detecting AWK files. A remote attacker could use this
flaw to cause a PHP application using fileinfo to consume an excessive
amount of CPU. (CVE-2013-7345)
Multiple denial of service flaws were found in the way the File Information
(fileinfo) extension parsed certain Composite Document Format (CDF) files.
A remote attacker could use either of these flaws to crash a PHP
application using fileinfo via a specially crafted CDF file.
(CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480,
CVE-2014-3487)
A heap-based buffer overflow flaw was found in the way PHP parsed DNS TXT
records. A malicious DNS server or a man-in-the-middle attacker could
possibly use this flaw to execute arbitrary code as the PHP interpreter if
a PHP application used the dns_get_record() function to perform a DNS
query. (CVE-2014-4049)
A type confusion issue was found in PHP's phpinfo() function. A malicious
script author could possibly use this flaw to disclose certain portions of
server memory. (CVE-2014-4721)
A type confusion issue was found in the SPL ArrayObject and
SPLObjectStorage classes' unserialize() method. A remote attacker able to
submit specially crafted input to a PHP application, which would then
unserialize this input using one of the aforementioned methods, could use
this flaw to execute arbitrary code with the privileges of the user running
that PHP application. (CVE-2014-3515)
The CVE-2014-0207, CVE-2014-0237, CVE-2014-0238, CVE-2014-3479,
CVE-2014-3480, and CVE-2014-3487 issues were discovered by Francisco Alonso
of Red Hat Product Security.
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-06"/>
<updated date="2014-08-06"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-7345.html">CVE-2013-7345</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0207.html">CVE-2014-0207</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0237.html">CVE-2014-0237</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0238.html">CVE-2014-0238</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3479.html">CVE-2014-3479</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3480.html">CVE-2014-3480</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3487.html">CVE-2014-3487</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3515.html">CVE-2014-3515</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4049.html">CVE-2014-4049</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4721.html">CVE-2014-4721</cve>
<bugzilla href="https://bugzilla.redhat.com/1079846" id="1079846">CVE-2013-7345 file: extensive backtracking in awk rule regular expression</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1091842" id="1091842">CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098155" id="1098155">CVE-2014-0238 file: CDF property info parsing nelements infinite loop</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098193" id="1098193">CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104858" id="1104858">CVE-2014-3480 file: cdf_count_chain insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104869" id="1104869">CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1107544" id="1107544">CVE-2014-3487 file: cdf_read_property_info insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108447" id="1108447">CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112154" id="1112154">CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1116662" id="1116662">CVE-2014-4721 php: type confusion issue in phpinfo() leading to information leak</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="php is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013005"/>
<criterion comment="php is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013006"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-bcmath is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013009"/>
<criterion comment="php-bcmath is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013010"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-cli is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013039"/>
<criterion comment="php-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013040"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-common is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013021"/>
<criterion comment="php-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013022"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-dba is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013045"/>
<criterion comment="php-dba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013046"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-devel is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013043"/>
<criterion comment="php-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013044"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-embedded is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013031"/>
<criterion comment="php-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013032"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-enchant is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013051"/>
<criterion comment="php-enchant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013052"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-fpm is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013053"/>
<criterion comment="php-fpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013054"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-gd is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013023"/>
<criterion comment="php-gd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013024"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-intl is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013011"/>
<criterion comment="php-intl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013012"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-ldap is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013015"/>
<criterion comment="php-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013016"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mbstring is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013047"/>
<criterion comment="php-mbstring is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013048"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysql is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013049"/>
<criterion comment="php-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013050"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysqlnd is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013027"/>
<criterion comment="php-mysqlnd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013028"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-odbc is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013025"/>
<criterion comment="php-odbc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013026"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pdo is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013007"/>
<criterion comment="php-pdo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013008"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pgsql is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013017"/>
<criterion comment="php-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013018"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-process is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013029"/>
<criterion comment="php-process is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013030"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pspell is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013041"/>
<criterion comment="php-pspell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013042"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-recode is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013033"/>
<criterion comment="php-recode is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013034"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-snmp is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013035"/>
<criterion comment="php-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013036"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-soap is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013013"/>
<criterion comment="php-soap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013014"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xml is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013019"/>
<criterion comment="php-xml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013020"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xmlrpc is earlier than 0:5.4.16-23.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141013037"/>
<criterion comment="php-xmlrpc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013038"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141023" version="601">
<metadata>
<title>RHSA-2014:1023: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1023-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1023.html" source="RHSA"/>
<reference ref_id="CVE-2014-0181" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0181.html" source="CVE"/>
<reference ref_id="CVE-2014-2672" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2672.html" source="CVE"/>
<reference ref_id="CVE-2014-2673" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2673.html" source="CVE"/>
<reference ref_id="CVE-2014-2706" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2706.html" source="CVE"/>
<reference ref_id="CVE-2014-3534" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3534.html" source="CVE"/>
<reference ref_id="CVE-2014-4667" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4667.html" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that Linux kernel's ptrace subsystem did not properly
sanitize the address-space-control bits when the program-status word (PSW)
was being set. On IBM S/390 systems, a local, unprivileged user could use
this flaw to set address-space-control bits to the kernel space, and thus
gain read and write access to kernel memory. (CVE-2014-3534, Important)
* It was found that the permission checks performed by the Linux kernel
when a netlink message was received were not sufficient. A local,
unprivileged user could potentially bypass these restrictions by passing a
netlink socket as stdout or stderr to a more privileged process and
altering the output of this process. (CVE-2014-0181, Moderate)
* It was found that a remote attacker could use a race condition flaw in
the ath_tx_aggr_sleep() function to crash the system by creating large
network traffic on the system's Atheros 9k wireless network adapter.
(CVE-2014-2672, Moderate)
* A flaw was found in the way the Linux kernel performed forking inside of
a transaction. A local, unprivileged user on a PowerPC system that supports
transactional memory could use this flaw to crash the system.
(CVE-2014-2673, Moderate)
* A race condition flaw was found in the way the Linux kernel's mac80211
subsystem implementation handled synchronization between TX and STA wake-up
code paths. A remote attacker could use this flaw to crash the system.
(CVE-2014-2706, Moderate)
* An integer underflow flaw was found in the way the Linux kernel's Stream
Control Transmission Protocol (SCTP) implementation processed certain
COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote
attacker could use this flaw to prevent legitimate connections to a
particular SCTP server socket to be made. (CVE-2014-4667, Moderate)
Red Hat would like to thank Martin Schwidefsky of IBM for reporting
CVE-2014-3534, Andy Lutomirski for reporting CVE-2014-0181, and Gopal Reddy
Kodudula of Nokia Siemens Networks for reporting CVE-2014-4667.
This update also fixes the following bugs:
* Due to a NULL pointer dereference bug in the IPIP and SIT tunneling code,
a kernel panic could be triggered when using IPIP or SIT tunnels with
IPsec. This update restructures the related code to avoid a NULL pointer
dereference and the kernel no longer panics when using IPIP or SIT tunnels
with IPsec. (BZ#1114957)
* Previously, an IBM POWER8 system could terminate unexpectedly when the
kernel received an IRQ while handling a transactional memory re-checkpoint
critical section. This update ensures that IRQs are disabled in this
situation and the problem no longer occurs. (BZ#1113150)
* A missing read memory barrier, rmb(), in the bnx2x driver caused the
kernel to crash under various circumstances. This problem has been fixed
by adding an rmb() call to the relevant place in the bnx2x code.
(BZ#1107721)
* The hpwdt driver previously emitted a panic message that was misleading
on certain HP systems. This update ensures that upon a kernel panic, hpwdt
displays information valid on all HP systems. (BZ#1096961)
* The qla2xxx driver has been upgraded to version 8.06.00.08.07.0-k3,
which provides a number of bug fixes over the previous version in order to
correct various timeout problems with the mailbox commands. (BZ#1112389)
* The SCSI mid-layer could retry an I/O operation indefinitely if a storage
array repeatedly returned a CHECK CONDITION status to that I/O operation
but the sense data was invalid. This update fixes the problem by limiting
a time for which is such an I/O operation retried. (BZ#1114468)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-06"/>
<updated date="2014-08-06"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0181.html">CVE-2014-0181</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2672.html">CVE-2014-2672</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2673.html">CVE-2014-2673</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2706.html">CVE-2014-2706</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3534.html">CVE-2014-3534</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4667.html">CVE-2014-4667</cve>
<bugzilla href="https://bugzilla.redhat.com/1083213" id="1083213">CVE-2014-2673 kernel: powerpc: tm: crash when forking inside a transaction</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1083246" id="1083246">CVE-2014-2672 kernel: ath9k: tid->sched race in ath_tx_aggr_sleep()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1083512" id="1083512">CVE-2014-2706 Kernel: net: mac80211: crash dues to AP powersave TX vs. wakeup race</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1094265" id="1094265">CVE-2014-0181 kernel: net: insufficient permision checks of netlink messages</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113967" id="1113967">CVE-2014-4667 kernel: sctp: sk_ack_backlog wrap-around problem</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1114089" id="1114089">CVE-2014-3534 kernel: s390: ptrace: insufficient sanitization when setting psw mask</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023031"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023015"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023017"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023011"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023033"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023019"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023009"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023013"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023023"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.6.3.el7" test_ref="oval:com.redhat.rhsa:tst:20141023021"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141031" version="601">
<metadata>
<title>RHSA-2014:1031: 389-ds-base security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2014:1031-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1031.html" source="RHSA"/>
<reference ref_id="CVE-2014-3562" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3562.html" source="CVE"/>
<description>The 389 Directory Server is an LDAPv3 compliant server. The base packages
include the Lightweight Directory Access Protocol (LDAP) server and
command-line utilities for server administration.
It was found that when replication was enabled for each attribute in 389
Directory Server, which is the default configuration, the server returned
replicated metadata when the directory was searched while debugging was
enabled. A remote attacker could use this flaw to disclose potentially
sensitive information. (CVE-2014-3562)
This issue was discovered by Ludwig Krispenz of Red Hat.
All 389-ds-base users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After installing
this update, the 389 server service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-07"/>
<updated date="2014-08-07"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3562.html">CVE-2014-3562</cve>
<bugzilla href="https://bugzilla.redhat.com/1123477" id="1123477">CVE-2014-3562 389-ds: unauthenticated information disclosure</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="389-ds-base is earlier than 0:1.2.11.15-34.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141031005"/>
<criterion comment="389-ds-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031006"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-devel is earlier than 0:1.2.11.15-34.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141031009"/>
<criterion comment="389-ds-base-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031010"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-libs is earlier than 0:1.2.11.15-34.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141031007"/>
<criterion comment="389-ds-base-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="389-ds-base is earlier than 0:1.3.1.6-26.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141031015"/>
<criterion comment="389-ds-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031006"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-devel is earlier than 0:1.3.1.6-26.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141031016"/>
<criterion comment="389-ds-base-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031010"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-libs is earlier than 0:1.3.1.6-26.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141031017"/>
<criterion comment="389-ds-base-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141034" version="601">
<metadata>
<title>RHSA-2014:1034: tomcat security update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1034-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1034.html" source="RHSA"/>
<reference ref_id="CVE-2014-0119" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0119.html" source="CVE"/>
<description>Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was found that, in certain circumstances, it was possible for a
malicious web application to replace the XML parsers used by Apache Tomcat
to process XSLTs for the default servlet, JSP documents, tag library
descriptors (TLDs), and tag plug-in configuration files. The injected XML
parser(s) could then bypass the limits imposed on XML external entities
and/or gain access to the XML files processed for other web applications
deployed on the same Apache Tomcat instance. (CVE-2014-0119)
All Tomcat users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. Tomcat must be restarted
for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-07"/>
<updated date="2014-08-07"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0119.html">CVE-2014-0119</cve>
<bugzilla href="https://bugzilla.redhat.com/1102038" id="1102038">CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="tomcat is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034005"/>
<criterion comment="tomcat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686006"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-admin-webapps is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034011"/>
<criterion comment="tomcat-admin-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686016"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-docs-webapp is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034009"/>
<criterion comment="tomcat-docs-webapp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686014"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-el-2.2-api is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034015"/>
<criterion comment="tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686024"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-javadoc is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034013"/>
<criterion comment="tomcat-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686012"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsp-2.2-api is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034021"/>
<criterion comment="tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686018"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsvc is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034007"/>
<criterion comment="tomcat-jsvc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686022"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-lib is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034017"/>
<criterion comment="tomcat-lib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686010"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-servlet-3.0-api is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034019"/>
<criterion comment="tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686020"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-webapps is earlier than 0:7.0.42-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141034023"/>
<criterion comment="tomcat-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141052" version="601">
<metadata>
<title>RHSA-2014:1052: openssl security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1052-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1052.html" source="RHSA"/>
<reference ref_id="CVE-2014-3505" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3505.html" source="CVE"/>
<reference ref_id="CVE-2014-3506" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3506.html" source="CVE"/>
<reference ref_id="CVE-2014-3507" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3507.html" source="CVE"/>
<reference ref_id="CVE-2014-3508" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3508.html" source="CVE"/>
<reference ref_id="CVE-2014-3509" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3509.html" source="CVE"/>
<reference ref_id="CVE-2014-3510" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3510.html" source="CVE"/>
<reference ref_id="CVE-2014-3511" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3511.html" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
A race condition was found in the way OpenSSL handled ServerHello messages
with an included Supported EC Point Format extension. A malicious server
could possibly use this flaw to cause a multi-threaded TLS/SSL client using
OpenSSL to write into freed memory, causing the client to crash or execute
arbitrary code. (CVE-2014-3509)
It was discovered that the OBJ_obj2txt() function could fail to properly
NUL-terminate its output. This could possibly cause an application using
OpenSSL functions to format fields of X.509 certificates to disclose
portions of its memory. (CVE-2014-3508)
A flaw was found in the way OpenSSL handled fragmented handshake packets.
A man-in-the-middle attacker could use this flaw to force a TLS/SSL server
using OpenSSL to use TLS 1.0, even if both the client and the server
supported newer protocol versions. (CVE-2014-3511)
Multiple flaws were discovered in the way OpenSSL handled DTLS packets.
A remote attacker could use these flaws to cause a DTLS server or client
using OpenSSL to crash or use excessive amounts of memory. (CVE-2014-3505,
CVE-2014-3506, CVE-2014-3507)
A NULL pointer dereference flaw was found in the way OpenSSL performed a
handshake when using the anonymous Diffie-Hellman (DH) key exchange. A
malicious server could cause a DTLS client using OpenSSL to crash if that
client had anonymous DH cipher suites enabled. (CVE-2014-3510)
All OpenSSL users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-13"/>
<updated date="2014-08-13"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3505.html">CVE-2014-3505</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3506.html">CVE-2014-3506</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3507.html">CVE-2014-3507</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3508.html">CVE-2014-3508</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3509.html">CVE-2014-3509</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3510.html">CVE-2014-3510</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3511.html">CVE-2014-3511</cve>
<bugzilla href="https://bugzilla.redhat.com/1127490" id="1127490">CVE-2014-3508 openssl: information leak in pretty printing functions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127498" id="1127498">CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127499" id="1127499">CVE-2014-3505 openssl: DTLS packet processing double free</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127500" id="1127500">CVE-2014-3506 openssl: DTLS memory exhaustion</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127502" id="1127502">CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127503" id="1127503">CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127504" id="1127504">CVE-2014-3511 openssl: TLS protocol downgrade attack</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-16.el6_5.15" test_ref="oval:com.redhat.rhsa:tst:20141052005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-16.el6_5.15" test_ref="oval:com.redhat.rhsa:tst:20141052011"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-16.el6_5.15" test_ref="oval:com.redhat.rhsa:tst:20141052009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-16.el6_5.15" test_ref="oval:com.redhat.rhsa:tst:20141052007"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-34.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141052017"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141052020"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141052018"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141052021"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141052022"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141073" version="601">
<metadata>
<title>RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1073-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1073.html" source="RHSA"/>
<reference ref_id="CVE-2014-1492" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1492.html" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSLv3, TLS, and other
security standards.
It was found that the implementation of Internationalizing Domain Names in
Applications (IDNA) hostname matching in NSS did not follow the RFC 6125
recommendations. This could lead to certain invalid certificates with
international characters to be accepted as valid. (CVE-2014-1492)
In addition, the nss, nss-util, and nss-softokn packages have been upgraded
to upstream version 3.16.2, which provides a number of bug fixes and
enhancements over the previous versions. (BZ#1124659)
Users of NSS are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. After installing this
update, applications using NSS must be restarted for this update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-18"/>
<updated date="2014-08-18"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1492.html">CVE-2014-1492</cve>
<bugzilla href="https://bugzilla.redhat.com/1079851" id="1079851">CVE-2014-1492 nss: IDNA hostname matching code does not follow RFC 6125 recommendation (MFSA 2014-45)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1124659" id="1124659">Rebase RHEL 7.0.Z to at least NSS 3.16.1 (FF 31)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.16.2-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073005"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.16.2-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073007"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn is earlier than 0:3.16.2-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073009"/>
<criterion comment="nss-softokn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073010"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-devel is earlier than 0:3.16.2-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073013"/>
<criterion comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073014"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl is earlier than 0:3.16.2-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073015"/>
<criterion comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073016"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl-devel is earlier than 0:3.16.2-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073011"/>
<criterion comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073012"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073017"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073025"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073019"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073023"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141073021"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141091" version="601">
<metadata>
<title>RHSA-2014:1091: mod_wsgi security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1091-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1091.html" source="RHSA"/>
<reference ref_id="CVE-2014-0240" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0240.html" source="CVE"/>
<description>The mod_wsgi adapter is an Apache module that provides a WSGI-compliant
interface for hosting Python-based web applications within Apache.
It was found that mod_wsgi did not properly drop privileges if the call to
setuid() failed. If mod_wsgi was set up to allow unprivileged users to run
WSGI applications, a local user able to run a WSGI application could
possibly use this flaw to escalate their privileges on the system.
(CVE-2014-0240)
Note: mod_wsgi is not intended to provide privilege separation for WSGI
applications. Systems relying on mod_wsgi to limit or sandbox the
privileges of mod_wsgi applications should migrate to a different solution
with proper privilege separation.
Red Hat would like to thank Graham Dumpleton for reporting this issue.
Upstream acknowledges Róbert Kisteleki as the original reporter.
All mod_wsgi users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-25"/>
<updated date="2014-08-25"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0240.html">CVE-2014-0240</cve>
<bugzilla href="https://bugzilla.redhat.com/1101863" id="1101863">CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="mod_wsgi is earlier than 0:3.4-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141091005"/>
<criterion comment="mod_wsgi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141091006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141110" version="601">
<metadata>
<title>RHSA-2014:1110: glibc security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1110-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1110.html" source="RHSA"/>
<reference ref_id="CVE-2014-0475" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-0475.html" source="CVE"/>
<reference ref_id="CVE-2014-5119" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-5119.html" source="CVE"/>
<description>The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system cannot
function properly.
An off-by-one heap-based buffer overflow flaw was found in glibc's internal
__gconv_translit_find() function. An attacker able to make an application
call the iconv_open() function with a specially crafted argument could
possibly use this flaw to execute arbitrary code with the privileges of
that application. (CVE-2014-5119)
A directory traveral flaw was found in the way glibc loaded locale files.
An attacker able to make an application use a specially crafted locale name
value (for example, specified in an LC_* environment variable) could
possibly use this flaw to execute arbitrary code with the privileges of
that application. (CVE-2014-0475)
Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-0475.
All glibc users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-08-29"/>
<updated date="2014-08-29"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-0475.html">CVE-2014-0475</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-5119.html">CVE-2014-5119</cve>
<bugzilla href="https://bugzilla.redhat.com/1102353" id="1102353">CVE-2014-0475 glibc: directory traversal in LC_* locale handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119128" id="1119128">CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.5-118.el5_10.3" test_ref="oval:com.redhat.rhsa:tst:20141110002"/>
<criterion comment="glibc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141110003"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.5-118.el5_10.3" test_ref="oval:com.redhat.rhsa:tst:20141110008"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141110009"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.5-118.el5_10.3" test_ref="oval:com.redhat.rhsa:tst:20141110004"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141110005"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.5-118.el5_10.3" test_ref="oval:com.redhat.rhsa:tst:20141110010"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141110011"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.5-118.el5_10.3" test_ref="oval:com.redhat.rhsa:tst:20141110012"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141110013"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.5-118.el5_10.3" test_ref="oval:com.redhat.rhsa:tst:20141110006"/>
<criterion comment="nscd is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141110007"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110018"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110024"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110022"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110020"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110026"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110028"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.12-1.132.el6_5.4" test_ref="oval:com.redhat.rhsa:tst:20141110030"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110036"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110042"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110040"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110038"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110041"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110037"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-55.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141110039"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141144" version="601">
<metadata>
<title>RHSA-2014:1144: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1144-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1144.html" source="RHSA"/>
<reference ref_id="CVE-2014-1562" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1562.html" source="CVE"/>
<reference ref_id="CVE-2014-1567" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1567.html" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2014-1562, CVE-2014-1567)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jan de Mooij as the original reporter of
CVE-2014-1562, and regenrecht as the original reporter of CVE-2014-1567.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 24.8.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 24.8.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-03"/>
<updated date="2014-09-03"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1562.html">CVE-2014-1562</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1567.html">CVE-2014-1567</cve>
<bugzilla href="https://bugzilla.redhat.com/1135862" id="1135862">CVE-2014-1562 Mozilla: Miscellaneous memory safety hazards (rv:rv:24.8) (MFSA 2014-67)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135869" id="1135869">CVE-2014-1567 Mozilla: Use-after-free setting text directionality (MFSA 2014-72)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:24.8.0-2.el5_10" test_ref="oval:com.redhat.rhsa:tst:20141144002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:24.8.0-1.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141144008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:24.8.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141144014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:24.8.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141144015"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:24.8.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141144017"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141146" version="601">
<metadata>
<title>RHSA-2014:1146: httpcomponents-client security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1146-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1146.html" source="RHSA"/>
<reference ref_id="CVE-2014-3577" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3577.html" source="CVE"/>
<description>HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on
httpcomponents HttpCore.
It was discovered that the HttpClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)
For additional information on this flaw, refer to the Knowledgebase
article in the References section.
All httpcomponents-client users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-03"/>
<updated date="2014-09-03"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3577.html">CVE-2014-3577</cve>
<bugzilla href="https://bugzilla.redhat.com/1129074" id="1129074">CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="httpcomponents-client is earlier than 0:4.2.5-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141146005"/>
<criterion comment="httpcomponents-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141146006"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpcomponents-client-javadoc is earlier than 0:4.2.5-5.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141146007"/>
<criterion comment="httpcomponents-client-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141146008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141147" version="601">
<metadata>
<title>RHSA-2014:1147: squid security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1147-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1147.html" source="RHSA"/>
<reference ref_id="CVE-2014-3609" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3609.html" source="CVE"/>
<description>Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.
A flaw was found in the way Squid handled malformed HTTP Range headers.
A remote attacker able to send HTTP requests to the Squid proxy could use
this flaw to crash Squid. (CVE-2014-3609)
Red Hat would like to thank the Squid project for reporting this issue.
Upstream acknowledges Matthew Daley as the original reporter.
All Squid users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, the squid service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-03"/>
<updated date="2014-09-03"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3609.html">CVE-2014-3609</cve>
<bugzilla href="https://bugzilla.redhat.com/1134209" id="1134209">CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="squid is earlier than 7:3.3.8-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141147005"/>
<criterion comment="squid is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141147006"/>
</criteria>
<criteria operator="AND">
<criterion comment="squid-sysvinit is earlier than 7:3.3.8-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141147007"/>
<criterion comment="squid-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141147008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141166" version="601">
<metadata>
<title>RHSA-2014:1166: jakarta-commons-httpclient security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1166-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1166.html" source="RHSA"/>
<reference ref_id="CVE-2014-3577" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3577.html" source="CVE"/>
<description>Jakarta Commons HTTPClient implements the client side of HTTP standards.
It was discovered that the HTTPClient incorrectly extracted host name from
an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. (CVE-2014-3577)
For additional information on this flaw, refer to the Knowledgebase
article in the References section.
All jakarta-commons-httpclient users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-08"/>
<updated date="2014-09-08"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3577.html">CVE-2014-3577</cve>
<bugzilla href="https://bugzilla.redhat.com/1129074" id="1129074">CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient is earlier than 1:3.0-7jpp.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20141166002"/>
<criterion comment="jakarta-commons-httpclient is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141166003"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-demo is earlier than 1:3.0-7jpp.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20141166008"/>
<criterion comment="jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141166009"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-javadoc is earlier than 1:3.0-7jpp.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20141166004"/>
<criterion comment="jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141166005"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-manual is earlier than 1:3.0-7jpp.4.el5_10" test_ref="oval:com.redhat.rhsa:tst:20141166006"/>
<criterion comment="jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141166007"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient is earlier than 1:3.1-0.9.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141166014"/>
<criterion comment="jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166015"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-demo is earlier than 1:3.1-0.9.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141166020"/>
<criterion comment="jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166021"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-javadoc is earlier than 1:3.1-0.9.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141166016"/>
<criterion comment="jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166017"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-manual is earlier than 1:3.1-0.9.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141166018"/>
<criterion comment="jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166019"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient is earlier than 1:3.1-16.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141166026"/>
<criterion comment="jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166015"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-demo is earlier than 1:3.1-16.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141166028"/>
<criterion comment="jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166021"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-javadoc is earlier than 1:3.1-16.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141166029"/>
<criterion comment="jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166017"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-commons-httpclient-manual is earlier than 1:3.1-16.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141166027"/>
<criterion comment="jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141166019"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141172" version="601">
<metadata>
<title>RHSA-2014:1172: procmail security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1172-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1172.html" source="RHSA"/>
<reference ref_id="CVE-2014-3618" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3618.html" source="CVE"/>
<description>The procmail program is used for local mail delivery. In addition to just
delivering mail, procmail can be used for automatic filtering, presorting,
and other mail handling jobs.
A heap-based buffer overflow flaw was found in procmail's formail utility.
A remote attacker could send an email with specially crafted headers that,
when processed by formail, could cause procmail to crash or, possibly,
execute arbitrary code as the user running formail. (CVE-2014-3618)
All procmail users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-10"/>
<updated date="2014-09-10"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3618.html">CVE-2014-3618</cve>
<bugzilla href="https://bugzilla.redhat.com/1137581" id="1137581">CVE-2014-3618 procmail: Heap-overflow in procmail's formail utility when processing specially-crafted email headers</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="procmail is earlier than 0:3.22-17.1.2" test_ref="oval:com.redhat.rhsa:tst:20141172002"/>
<criterion comment="procmail is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141172003"/>
</criteria>
<criteria operator="AND">
<criterion comment="procmail is earlier than 0:3.22-25.1.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20141172008"/>
<criterion comment="procmail is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141172009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="procmail is earlier than 0:3.22-34.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141172014"/>
<criterion comment="procmail is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141172009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141281" version="601">
<metadata>
<title>RHSA-2014:1281: kernel security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1281-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1281.html" source="RHSA"/>
<reference ref_id="CVE-2014-3917" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3917.html" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* An out-of-bounds memory access flaw was found in the Linux kernel's
system call auditing implementation. On a system with existing audit rules
defined, a local, unprivileged user could use this flaw to leak kernel
memory to user space or, potentially, crash the system. (CVE-2014-3917,
Moderate)
This update also fixes the following bugs:
* A bug in the mtip32xx driver could prevent the Micron P420m PCIe SSD
devices with unaligned I/O access from completing the submitted I/O
requests. This resulted in a livelock situation and rendered the Micron
P420m PCIe SSD devices unusable. To fix this problem, mtip32xx now checks
whether an I/O access is unaligned and if so, it uses the correct
semaphore. (BZ#1125776)
* A series of patches has been backported to improve the functionality of
a touch pad on the latest Lenovo laptops in Red Hat Enterprise Linux 7.
(BZ#1122559)
* Due to a bug in the bnx2x driver, a network adapter could be unable to
recover from EEH error injection. The network adapter had to be taken
offline and rebooted in order to function properly again. With this update,
the bnx2x driver has been corrected and network adapters now recover from
EEH errors as expected. (BZ#1107722)
* Previously, if an hrtimer interrupt was delayed, all future pending
hrtimer events that were queued on the same processor were also delayed
until the initial hrtimer event was handled. This could cause all hrtimer
processing to stop for a significant period of time. To prevent this
problem, the kernel has been modified to handle all expired hrtimer events
when handling the initially delayed hrtimer event. (BZ#1113175)
* A previous change to the nouveau driver introduced a bit shift error,
which resulted in a wrong display resolution being set with some models
of NVIDIA controllers. With this update, the erroneous code has been
corrected, and the affected NVIDIA controllers can now set the correct
display resolution. (BZ#1114869)
* Due to a NULL pointer dereference bug in the be2net driver, the system
could experience a kernel oops and reboot when disabling a network adapter
after a permanent failure. This problem has been fixed by introducing a
flag to keep track of the setup state. The failing adapter can now be
disabled successfully without a kernel crash. (BZ#1122558)
* Previously, the Huge Translation Lookaside Buffer (HugeTLB) allowed
access to huge pages access by default. However, huge pages may be
unsupported in some environments, such as a KVM guest on a PowerPC
architecture, and an attempt to access a huge page in memory would result
in a kernel oops. This update ensures that HugeTLB denies access to huge
pages if the huge pages are not supported on the system. (BZ#1122115)
* If an NVMe device becomes ready but fails to create I/O queues, the nvme
driver creates a character device handle to manage such a device.
Previously, a character device could be created before a device reference
counter was initialized, which resulted in a kernel oops. This problem has
been fixed by calling the relevant initialization function earlier in the
code. (BZ#1119720)
* On some firmware versions of the BladeEngine 3 (BE3) controller,
interrupts remain disabled after a hardware reset. This was a problem for
all Emulex-based network adapters using such a BE3 controller because
these adapters would fail to recover from an EEH error if it occurred. To
resolve this problem, the be2net driver has been modified to enable the
interrupts in the eeh_resume handler explicitly. (BZ#1121712)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-22"/>
<updated date="2014-09-22"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3917.html">CVE-2014-3917</cve>
<bugzilla href="https://bugzilla.redhat.com/1102571" id="1102571">CVE-2014-3917 kernel: DoS with syscall auditing</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281015"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281021"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281013"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281011"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281023"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281019"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281009"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.8.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141281017"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141292" version="601">
<metadata>
<title>RHSA-2014:1292: haproxy security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1292-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1292.html" source="RHSA"/>
<reference ref_id="CVE-2014-6269" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6269.html" source="CVE"/>
<description>HAProxy provides high availability, load balancing, and proxying for TCP
and HTTP-based applications.
A buffer overflow flaw was discovered in the way HAProxy handled, under
very specific conditions, data uploaded from a client. A remote attacker
could possibly use this flaw to crash HAProxy. (CVE-2014-6269)
All haproxy users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-24"/>
<updated date="2014-09-24"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6269.html">CVE-2014-6269</cve>
<bugzilla href="https://bugzilla.redhat.com/1136552" id="1136552">CVE-2014-6269 haproxy: remote client denial of service vulnerability</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="haproxy is earlier than 0:1.5.2-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141292005"/>
<criterion comment="haproxy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141292006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141293" version="601">
<metadata>
<title>RHSA-2014:1293: bash security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1293-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1293.html" source="RHSA"/>
<reference ref_id="CVE-2014-6271" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6271.html" source="CVE"/>
<description>The GNU Bourne Again shell (Bash) is a shell and command language
interpreter compatible with the Bourne shell (sh). Bash is the default
shell for Red Hat Enterprise Linux.
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue.
(CVE-2014-6271)
For additional information on the CVE-2014-6271 flaw, refer to the
Knowledgebase article at https://access.redhat.com/articles/1200223
Red Hat would like to thank Stephane Chazelas for reporting this issue.
All bash users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-24"/>
<updated date="2014-09-24"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6271.html">CVE-2014-6271</cve>
<bugzilla href="https://bugzilla.redhat.com/1141597" id="1141597">CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bash is earlier than 0:4.1.2-15.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20141293005"/>
<criterion comment="bash is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293006"/>
</criteria>
<criteria operator="AND">
<criterion comment="bash-doc is earlier than 0:4.1.2-15.el6_5.1" test_ref="oval:com.redhat.rhsa:tst:20141293007"/>
<criterion comment="bash-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="bash is earlier than 0:3.2-33.el5.1" test_ref="oval:com.redhat.rhsa:tst:20141293010"/>
<criterion comment="bash is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141293011"/>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bash is earlier than 0:4.2.45-5.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20141293016"/>
<criterion comment="bash is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293006"/>
</criteria>
<criteria operator="AND">
<criterion comment="bash-doc is earlier than 0:4.2.45-5.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20141293017"/>
<criterion comment="bash-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141306" version="604">
<metadata>
<title>RHSA-2014:1306: bash security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1306-03" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1306.html" source="RHSA"/>
<reference ref_id="CVE-2014-7169" ref_url="https://access.redhat.com/security/cve/CVE-2014-7169" source="CVE"/>
<reference ref_id="CVE-2014-7186" ref_url="https://access.redhat.com/security/cve/CVE-2014-7186" source="CVE"/>
<reference ref_id="CVE-2014-7187" ref_url="https://access.redhat.com/security/cve/CVE-2014-7187" source="CVE"/>
<description>The GNU Bourne Again shell (Bash) is a shell and command language
interpreter compatible with the Bourne shell (sh). Bash is the default
shell for Red Hat Enterprise Linux.
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still
allowed certain characters to be injected into other environments via
specially crafted environment variables. An attacker could potentially use
this flaw to override or bypass environment restrictions to execute shell
commands. Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit this
issue. (CVE-2014-7169)
Applications which directly create bash functions as environment variables
need to be made aware of changes to the way names are handled by this
update. Note that certain services, screen sessions, and tmux sessions may
need to be restarted, and affected interactive users may need to re-login.
Installing these updated packages without restarting services will address
the vulnerability, but functionality may be impacted until affected
services are restarted. For more information see the Knowledgebase article
at https://access.redhat.com/articles/1200223
Note: Docker users are advised to use "yum update" within their containers,
and to commit the resulting changes.
For additional information on CVE-2014-6271 and CVE-2014-7169, refer to the
aforementioned Knowledgebase article.
All bash users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-26"/>
<updated date="2014-09-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7169">CVE-2014-7169</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7186">CVE-2014-7186</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7187">CVE-2014-7187</cve>
<bugzilla href="https://bugzilla.redhat.com/1146319" id="1146319">CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bash is earlier than 0:4.1.2-15.el6_5.2" test_ref="oval:com.redhat.rhsa:tst:20141306005"/>
<criterion comment="bash is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293006"/>
</criteria>
<criteria operator="AND">
<criterion comment="bash-doc is earlier than 0:4.1.2-15.el6_5.2" test_ref="oval:com.redhat.rhsa:tst:20141306007"/>
<criterion comment="bash-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="bash is earlier than 0:3.2-33.el5_11.4" test_ref="oval:com.redhat.rhsa:tst:20141306010"/>
<criterion comment="bash is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141293011"/>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bash is earlier than 0:4.2.45-5.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141306016"/>
<criterion comment="bash is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293006"/>
</criteria>
<criteria operator="AND">
<criterion comment="bash-doc is earlier than 0:4.2.45-5.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20141306017"/>
<criterion comment="bash-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141293008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141307" version="601">
<metadata>
<title>RHSA-2014:1307: nss security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1307-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1307.html" source="RHSA"/>
<reference ref_id="CVE-2014-1568" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1568.html" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities.
A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One)
input from certain RSA signatures. A remote attacker could use this flaw to
forge RSA certificates by providing a specially crafted signature to an
application using NSS. (CVE-2014-1568)
Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security
Incident Response Team as the original reporters.
All NSS users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, applications using NSS must be restarted for this update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-26"/>
<updated date="2014-09-26"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1568.html">CVE-2014-1568</cve>
<bugzilla href="https://bugzilla.redhat.com/1145429" id="1145429">CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.16.1-2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307005"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.16.1-2.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307007"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.1-7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307009"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.1-7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307015"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.1-7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307017"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.16.1-7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307013"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.1-7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307011"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn is earlier than 0:3.14.3-12.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307019"/>
<criterion comment="nss-softokn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073010"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-devel is earlier than 0:3.14.3-12.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307025"/>
<criterion comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073014"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl is earlier than 0:3.14.3-12.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307023"/>
<criterion comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073016"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl-devel is earlier than 0:3.14.3-12.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141307021"/>
<criterion comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.1-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141307028"/>
<criterion comment="nss is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916003"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.1-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141307032"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916005"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.1-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141307030"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916007"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.1-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141307034"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916009"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-softokn is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307040"/>
<criterion comment="nss-softokn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073010"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-devel is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307041"/>
<criterion comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073014"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307043"/>
<criterion comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073016"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl-devel is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307042"/>
<criterion comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073012"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307044"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.16.2-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307045"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.2-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307046"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.2-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307047"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.2-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307048"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.16.2-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307049"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.2-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141307050"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141319" version="601">
<metadata>
<title>RHSA-2014:1319: xerces-j2 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1319-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1319.html" source="RHSA"/>
<reference ref_id="CVE-2013-4002" ref_url="https://www.redhat.com/security/data/cve/CVE-2013-4002.html" source="CVE"/>
<description>Apache Xerces for Java (Xerces-J) is a high performance, standards
compliant, validating XML parser written in Java. The xerces-j2 packages
provide Xerces-J version 2.
A resource consumption issue was found in the way Xerces-J handled XML
declarations. A remote attacker could use an XML document with a specially
crafted declaration using a long pseudo-attribute name that, when parsed by
an application using Xerces-J, would cause that application to use an
excessive amount of CPU. (CVE-2013-4002)
All xerces-j2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. Applications using the
Xerces-J must be restarted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-29"/>
<updated date="2014-09-29"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2013-4002.html">CVE-2013-4002</cve>
<bugzilla href="https://bugzilla.redhat.com/1019176" id="1019176">CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xerces-j2 is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319005"/>
<criterion comment="xerces-j2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-demo is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319007"/>
<criterion comment="xerces-j2-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-javadoc-apis is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319009"/>
<criterion comment="xerces-j2-javadoc-apis is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319010"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-javadoc-impl is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319015"/>
<criterion comment="xerces-j2-javadoc-impl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-javadoc-other is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319017"/>
<criterion comment="xerces-j2-javadoc-other is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319018"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-javadoc-xni is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319013"/>
<criterion comment="xerces-j2-javadoc-xni is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319014"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-scripts is earlier than 0:2.7.1-12.7.el6_5" test_ref="oval:com.redhat.rhsa:tst:20141319011"/>
<criterion comment="xerces-j2-scripts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xerces-j2 is earlier than 0:2.11.0-17.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141319023"/>
<criterion comment="xerces-j2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-demo is earlier than 0:2.11.0-17.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141319024"/>
<criterion comment="xerces-j2-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-j2-javadoc is earlier than 0:2.11.0-17.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141319025"/>
<criterion comment="xerces-j2-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141319026"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141327" version="601">
<metadata>
<title>RHSA-2014:1327: php security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1327-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1327.html" source="RHSA"/>
<reference ref_id="CVE-2014-2497" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-2497.html" source="CVE"/>
<reference ref_id="CVE-2014-3478" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3478.html" source="CVE"/>
<reference ref_id="CVE-2014-3538" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3538.html" source="CVE"/>
<reference ref_id="CVE-2014-3587" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3587.html" source="CVE"/>
<reference ref_id="CVE-2014-3597" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3597.html" source="CVE"/>
<reference ref_id="CVE-2014-4670" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4670.html" source="CVE"/>
<reference ref_id="CVE-2014-4698" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-4698.html" source="CVE"/>
<reference ref_id="CVE-2014-5120" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-5120.html" source="CVE"/>
<description>PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server. PHP's fileinfo module provides functions used to identify a
particular file according to the type of data contained by the file.
A buffer overflow flaw was found in the way the File Information (fileinfo)
extension processed certain Pascal strings. A remote attacker able to make
a PHP application using fileinfo convert a specially crafted Pascal string
provided by an image file could cause that application to crash.
(CVE-2014-3478)
Multiple flaws were found in the File Information (fileinfo) extension
regular expression rules for detecting various files. A remote attacker
could use either of these flaws to cause a PHP application using fileinfo
to consume an excessive amount of CPU. (CVE-2014-3538)
It was found that the fix for CVE-2012-1571 was incomplete; the File
Information (fileinfo) extension did not correctly parse certain Composite
Document Format (CDF) files. A remote attacker could use this flaw to crash
a PHP application using fileinfo via a specially crafted CDF file.
(CVE-2014-3587)
It was found that PHP's gd extension did not properly handle file names
with a null character. A remote attacker could possibly use this flaw to
make a PHP application access unexpected files and bypass intended file
system access restrictions. (CVE-2014-5120)
A NULL pointer dereference flaw was found in the gdImageCreateFromXpm()
function of PHP's gd extension. A remote attacker could use this flaw to
crash a PHP application using gd via a specially crafted X PixMap (XPM)
file. (CVE-2014-2497)
Multiple buffer over-read flaws were found in the php_parserr() function of
PHP. A malicious DNS server or a man-in-the-middle attacker could possibly
use this flaw to execute arbitrary code as the PHP interpreter if a PHP
application used the dns_get_record() function to perform a DNS query.
(CVE-2014-3597)
Two use-after-free flaws were found in the way PHP handled certain Standard
PHP Library (SPL) Iterators and ArrayIterators. A malicious script author
could possibly use either of these flaws to disclose certain portions of
server memory. (CVE-2014-4670, CVE-2014-4698)
The CVE-2014-3478 issue was discovered by Francisco Alonso of Red Hat
Product Security, the CVE-2014-3538 issue was discovered by Jan Kaluža of
the Red Hat Web Stack Team, and the CVE-2014-3597 issue was discovered by
David Kutálek of the Red Hat BaseOS QE.
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-09-30"/>
<updated date="2014-09-30"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-2497.html">CVE-2014-2497</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3478.html">CVE-2014-3478</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3538.html">CVE-2014-3538</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3587.html">CVE-2014-3587</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3597.html">CVE-2014-3597</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4670.html">CVE-2014-4670</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-4698.html">CVE-2014-4698</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-5120.html">CVE-2014-5120</cve>
<bugzilla href="https://bugzilla.redhat.com/1076676" id="1076676">CVE-2014-2497 gd: NULL pointer dereference in gdImageCreateFromXpm()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098222" id="1098222">CVE-2014-3538 file: unrestricted regular expression matching</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104863" id="1104863">CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120259" id="1120259">CVE-2014-4698 php: ArrayIterator use-after-free due to object change during sorting</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120266" id="1120266">CVE-2014-4670 php: SPL Iterators use-after-free</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1128587" id="1128587">CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132589" id="1132589">CVE-2014-3597 php: multiple buffer over-reads in php_parserr</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132793" id="1132793">CVE-2014-5120 php: gd extension NUL byte injection in file names</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="php is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327005"/>
<criterion comment="php is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013006"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-bcmath is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327037"/>
<criterion comment="php-bcmath is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013010"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-cli is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327025"/>
<criterion comment="php-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013040"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-common is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327031"/>
<criterion comment="php-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013022"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-dba is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327011"/>
<criterion comment="php-dba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013046"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-devel is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327019"/>
<criterion comment="php-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013044"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-embedded is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327041"/>
<criterion comment="php-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013032"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-enchant is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327027"/>
<criterion comment="php-enchant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013052"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-fpm is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327023"/>
<criterion comment="php-fpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013054"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-gd is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327045"/>
<criterion comment="php-gd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013024"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-intl is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327039"/>
<criterion comment="php-intl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013012"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-ldap is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327009"/>
<criterion comment="php-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013016"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mbstring is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327047"/>
<criterion comment="php-mbstring is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013048"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysql is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327043"/>
<criterion comment="php-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013050"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysqlnd is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327017"/>
<criterion comment="php-mysqlnd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013028"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-odbc is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327049"/>
<criterion comment="php-odbc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013026"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pdo is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327051"/>
<criterion comment="php-pdo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013008"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pgsql is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327021"/>
<criterion comment="php-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013018"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-process is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327035"/>
<criterion comment="php-process is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013030"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pspell is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327029"/>
<criterion comment="php-pspell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013042"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-recode is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327015"/>
<criterion comment="php-recode is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013034"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-snmp is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327013"/>
<criterion comment="php-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013036"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-soap is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327053"/>
<criterion comment="php-soap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013014"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xml is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327033"/>
<criterion comment="php-xml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013020"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xmlrpc is earlier than 0:5.4.16-23.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141327007"/>
<criterion comment="php-xmlrpc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013038"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141352" version="601">
<metadata>
<title>RHSA-2014:1352: libvirt security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1352-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1352.html" source="RHSA"/>
<reference ref_id="CVE-2014-3633" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3633.html" source="CVE"/>
<reference ref_id="CVE-2014-3657" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3657.html" source="CVE"/>
<description>The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of
virtualized systems.
An out-of-bounds read flaw was found in the way libvirt's
qemuDomainGetBlockIoTune() function looked up the disk index in a
non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd or,
potentially, leak memory from the libvirtd process. (CVE-2014-3633)
A denial of service flaw was found in the way libvirt's
virConnectListAllDomains() function computed the number of used domains.
A remote attacker able to establish a read-only connection to libvirtd
could use this flaw to make any domain operations within libvirt
unresponsive. (CVE-2014-3657)
The CVE-2014-3633 issue was discovered by Luyao Huang of Red Hat.
This update also fixes the following bug:
* Prior to this update, libvirt was setting the cpuset.mems parameter for
domains with numatune/memory[nodeset] prior to starting them. As a
consequence, domains with such a nodeset, which excluded the NUMA node with
DMA and DMA32 zones (found in /proc/zoneinfo), could not be started due to
failed KVM initialization. With this update, libvirt sets the cpuset.mems
parameter after the initialization, and domains with any nodeset (in
/numatune/memory) can be started without an error. (BZ#1135871)
All libvirt users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, libvirtd will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-01"/>
<updated date="2014-10-01"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3633.html">CVE-2014-3633</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3657.html">CVE-2014-3657</cve>
<bugzilla href="https://bugzilla.redhat.com/1141131" id="1141131">CVE-2014-3633 libvirt: qemu: out-of-bounds read access in qemuDomainGetBlockIoTune() due to invalid index</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1145667" id="1145667">CVE-2014-3657 libvirt: domain_conf: domain deadlock DoS</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libvirt is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352005"/>
<criterion comment="libvirt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-client is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352009"/>
<criterion comment="libvirt-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914034"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352023"/>
<criterion comment="libvirt-daemon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914016"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352035"/>
<criterion comment="libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352031"/>
<criterion comment="libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914022"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352029"/>
<criterion comment="libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914028"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352021"/>
<criterion comment="libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352013"/>
<criterion comment="libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352027"/>
<criterion comment="libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352025"/>
<criterion comment="libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352043"/>
<criterion comment="libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352015"/>
<criterion comment="libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352037"/>
<criterion comment="libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352039"/>
<criterion comment="libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914044"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352019"/>
<criterion comment="libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914030"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-devel is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352011"/>
<criterion comment="libvirt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914024"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-docs is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352017"/>
<criterion comment="libvirt-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352041"/>
<criterion comment="libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914042"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352033"/>
<criterion comment="libvirt-login-shell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914014"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-python is earlier than 0:1.1.1-29.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141352007"/>
<criterion comment="libvirt-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914036"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141359" version="601">
<metadata>
<title>RHSA-2014:1359: polkit-qt security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1359-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1359.html" source="RHSA"/>
<reference ref_id="CVE-2014-5033" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-5033.html" source="CVE"/>
<description>Polkit-qt is a library that lets developers use the PolicyKit API through a
Qt-styled API. The polkit-qt library is used by the KDE Authentication
Agent (KAuth), which is a part of kdelibs.
It was found that polkit-qt handled authorization requests with PolicyKit
via a D-Bus API that is vulnerable to a race condition. A local user could
use this flaw to bypass intended PolicyKit authorizations. This update
modifies polkit-qt to communicate with PolicyKit via a different API that
is not vulnerable to the race condition. (CVE-2014-5033)
All polkit-qt users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-06"/>
<updated date="2014-10-06"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-5033.html">CVE-2014-5033</cve>
<bugzilla href="https://bugzilla.redhat.com/1094890" id="1094890">CVE-2014-5033 polkit-qt: insecure calling of polkit</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="polkit-qt is earlier than 0:0.103.0-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141359005"/>
<criterion comment="polkit-qt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141359006"/>
</criteria>
<criteria operator="AND">
<criterion comment="polkit-qt-devel is earlier than 0:0.103.0-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141359007"/>
<criterion comment="polkit-qt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141359008"/>
</criteria>
<criteria operator="AND">
<criterion comment="polkit-qt-doc is earlier than 0:0.103.0-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141359009"/>
<criterion comment="polkit-qt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141359010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141397" version="601">
<metadata>
<title>RHSA-2014:1397: rsyslog security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1397-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1397.html" source="RHSA"/>
<reference ref_id="CVE-2014-3634" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3634.html" source="CVE"/>
<description>The rsyslog packages provide an enhanced, multi-threaded syslog daemon
that supports writing to relational databases, syslog/TCP, RFC 3195,
permitted sender lists, filtering on any message part, and fine grained
output format control.
A flaw was found in the way rsyslog handled invalid log message priority
values. In certain configurations, a local attacker, or a remote attacker
able to connect to the rsyslog port, could use this flaw to crash the
rsyslog daemon or, potentially, execute arbitrary code as the user running
the rsyslog daemon. (CVE-2014-3634)
Red Hat would like to thank Rainer Gerhards of rsyslog upstream for
reporting this issue.
All rsyslog users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the rsyslog service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-13"/>
<updated date="2014-10-13"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3634.html">CVE-2014-3634</cve>
<bugzilla href="https://bugzilla.redhat.com/1142373" id="1142373">CVE-2014-3634 rsyslog: remote syslog PRI vulnerability</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="rsyslog is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397005"/>
<criterion comment="rsyslog is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397006"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-crypto is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397009"/>
<criterion comment="rsyslog-crypto is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397010"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-doc is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397019"/>
<criterion comment="rsyslog-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397020"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-elasticsearch is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397021"/>
<criterion comment="rsyslog-elasticsearch is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397022"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-gnutls is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397033"/>
<criterion comment="rsyslog-gnutls is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397034"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-gssapi is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397027"/>
<criterion comment="rsyslog-gssapi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397028"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-libdbi is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397015"/>
<criterion comment="rsyslog-libdbi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397016"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-mmaudit is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397007"/>
<criterion comment="rsyslog-mmaudit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397008"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-mmjsonparse is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397017"/>
<criterion comment="rsyslog-mmjsonparse is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397018"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-mmnormalize is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397031"/>
<criterion comment="rsyslog-mmnormalize is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397032"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-mmsnmptrapd is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397023"/>
<criterion comment="rsyslog-mmsnmptrapd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397024"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-mysql is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397013"/>
<criterion comment="rsyslog-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397014"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-pgsql is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397029"/>
<criterion comment="rsyslog-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397030"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-relp is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397011"/>
<criterion comment="rsyslog-relp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397012"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-snmp is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397035"/>
<criterion comment="rsyslog-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397036"/>
</criteria>
<criteria operator="AND">
<criterion comment="rsyslog-udpspoof is earlier than 0:7.4.7-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141397025"/>
<criterion comment="rsyslog-udpspoof is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141397026"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141620" version="601">
<metadata>
<title>RHSA-2014:1620: java-1.7.0-openjdk security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1620-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1620.html" source="RHSA"/>
<reference ref_id="CVE-2014-6457" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6457.html" source="CVE"/>
<reference ref_id="CVE-2014-6502" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6502.html" source="CVE"/>
<reference ref_id="CVE-2014-6504" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6504.html" source="CVE"/>
<reference ref_id="CVE-2014-6506" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6506.html" source="CVE"/>
<reference ref_id="CVE-2014-6511" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6511.html" source="CVE"/>
<reference ref_id="CVE-2014-6512" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6512.html" source="CVE"/>
<reference ref_id="CVE-2014-6517" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6517.html" source="CVE"/>
<reference ref_id="CVE-2014-6519" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6519.html" source="CVE"/>
<reference ref_id="CVE-2014-6531" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6531.html" source="CVE"/>
<reference ref_id="CVE-2014-6558" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6558.html" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components
in OpenJDK. An untrusted Java application or applet could use these flaws
to bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,
CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)
It was discovered that the StAX XML parser in the JAXP component in OpenJDK
performed expansion of external parameter entities even when external
entity substitution was disabled. A remote attacker could use this flaw to
perform XML eXternal Entity (XXE) attack against applications using the
StAX parser to parse untrusted XML documents. (CVE-2014-6517)
It was discovered that the DatagramSocket implementation in OpenJDK failed
to perform source address checks for packets received on a connected
socket. A remote attacker could use this flaw to have their packets
processed as if they were received from the expected source.
(CVE-2014-6512)
It was discovered that the TLS/SSL implementation in the JSSE component in
OpenJDK failed to properly verify the server identity during the
renegotiation following session resumption, making it possible for
malicious TLS/SSL servers to perform a Triple Handshake attack against
clients using JSSE and client certificate authentication. (CVE-2014-6457)
It was discovered that the CipherInputStream class implementation in
OpenJDK did not properly handle certain exceptions. This could possibly
allow an attacker to affect the integrity of an encrypted stream handled by
this class. (CVE-2014-6558)
The CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product
Security.
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
This update also fixes the following bug:
* The TLS/SSL implementation in OpenJDK previously failed to handle
Diffie-Hellman (DH) keys with more than 1024 bits. This caused client
applications using JSSE to fail to establish TLS/SSL connections to servers
using larger DH keys during the connection handshake. This update adds
support for DH keys with size up to 2048 bits. (BZ#1148309)
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-15"/>
<updated date="2014-10-15"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6457.html">CVE-2014-6457</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6502.html">CVE-2014-6502</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6504.html">CVE-2014-6504</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6506.html">CVE-2014-6506</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6511.html">CVE-2014-6511</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6512.html">CVE-2014-6512</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6517.html">CVE-2014-6517</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6519.html">CVE-2014-6519</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6531.html">CVE-2014-6531</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6558.html">CVE-2014-6558</cve>
<bugzilla href="https://bugzilla.redhat.com/1071210" id="1071210">CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150155" id="1150155">CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150182" id="1150182">CVE-2014-6504 OpenJDK: incorrect optimization of range checks in C2 compiler (Hotspot, 8022783)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150273" id="1150273">CVE-2014-6519 OpenJDK: missing BootstrapMethods bounds check (Hotspot, 8041717)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150651" id="1150651">CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150669" id="1150669">CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151046" id="1151046">CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151063" id="1151063">CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151364" id="1151364">CVE-2014-6517 OpenJDK: StAX parser parameter entity XXE (JAXP, 8039533)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151517" id="1151517">CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620005"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620011"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620007"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620009"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620013"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620015"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.71-2.5.3.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141620017"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.71-2.5.3.1.el6" test_ref="oval:com.redhat.rhsa:tst:20141620023"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.71-2.5.3.1.el6" test_ref="oval:com.redhat.rhsa:tst:20141620027"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.71-2.5.3.1.el6" test_ref="oval:com.redhat.rhsa:tst:20141620026"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.71-2.5.3.1.el6" test_ref="oval:com.redhat.rhsa:tst:20141620024"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.71-2.5.3.1.el6" test_ref="oval:com.redhat.rhsa:tst:20141620025"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141634" version="601">
<metadata>
<title>RHSA-2014:1634: java-1.6.0-openjdk security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1634-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1634.html" source="RHSA"/>
<reference ref_id="CVE-2014-6457" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6457.html" source="CVE"/>
<reference ref_id="CVE-2014-6502" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6502.html" source="CVE"/>
<reference ref_id="CVE-2014-6504" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6504.html" source="CVE"/>
<reference ref_id="CVE-2014-6506" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6506.html" source="CVE"/>
<reference ref_id="CVE-2014-6511" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6511.html" source="CVE"/>
<reference ref_id="CVE-2014-6512" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6512.html" source="CVE"/>
<reference ref_id="CVE-2014-6517" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6517.html" source="CVE"/>
<reference ref_id="CVE-2014-6519" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6519.html" source="CVE"/>
<reference ref_id="CVE-2014-6531" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6531.html" source="CVE"/>
<reference ref_id="CVE-2014-6558" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6558.html" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components
in OpenJDK. An untrusted Java application or applet could use these flaws
to bypass certain Java sandbox restrictions. (CVE-2014-6506, CVE-2014-6531,
CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519)
It was discovered that the StAX XML parser in the JAXP component in OpenJDK
performed expansion of external parameter entities even when external
entity substitution was disabled. A remote attacker could use this flaw to
perform XML eXternal Entity (XXE) attack against applications using the
StAX parser to parse untrusted XML documents. (CVE-2014-6517)
It was discovered that the DatagramSocket implementation in OpenJDK failed
to perform source address checks for packets received on a connected
socket. A remote attacker could use this flaw to have their packets
processed as if they were received from the expected source.
(CVE-2014-6512)
It was discovered that the TLS/SSL implementation in the JSSE component in
OpenJDK failed to properly verify the server identity during the
renegotiation following session resumption, making it possible for
malicious TLS/SSL servers to perform a Triple Handshake attack against
clients using JSSE and client certificate authentication. (CVE-2014-6457)
It was discovered that the CipherInputStream class implementation in
OpenJDK did not properly handle certain exceptions. This could possibly
allow an attacker to affect the integrity of an encrypted stream handled by
this class. (CVE-2014-6558)
The CVE-2014-6512 was discovered by Florian Weimer of Red Hat Product
Security.
This update also fixes the following bug:
* The TLS/SSL implementation in OpenJDK previously failed to handle
Diffie-Hellman (DH) keys with more than 1024 bits. This caused client
applications using JSSE to fail to establish TLS/SSL connections to servers
using larger DH keys during the connection handshake. This update adds
support for DH keys with size up to 2048 bits. (BZ#1148309)
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-14"/>
<updated date="2014-10-15"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6457.html">CVE-2014-6457</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6502.html">CVE-2014-6502</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6504.html">CVE-2014-6504</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6506.html">CVE-2014-6506</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6511.html">CVE-2014-6511</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6512.html">CVE-2014-6512</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6517.html">CVE-2014-6517</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6519.html">CVE-2014-6519</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6531.html">CVE-2014-6531</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6558.html">CVE-2014-6558</cve>
<bugzilla href="https://bugzilla.redhat.com/1071210" id="1071210">CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150155" id="1150155">CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150182" id="1150182">CVE-2014-6504 OpenJDK: incorrect optimization of range checks in C2 compiler (Hotspot, 8022783)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150273" id="1150273">CVE-2014-6519 OpenJDK: missing BootstrapMethods bounds check (Hotspot, 8041717)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150651" id="1150651">CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150669" id="1150669">CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151046" id="1151046">CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151063" id="1151063">CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151364" id="1151364">CVE-2014-6517 OpenJDK: StAX parser parameter entity XXE (JAXP, 8039533)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151517" id="1151517">CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.33-1.13.5.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141634002"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.33-1.13.5.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141634006"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.33-1.13.5.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141634010"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.33-1.13.5.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141634008"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.33-1.13.5.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141634004"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.33-1.13.5.0.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141634016"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.33-1.13.5.0.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141634020"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.33-1.13.5.0.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141634024"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.33-1.13.5.0.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141634018"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.33-1.13.5.0.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141634022"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.33-1.13.5.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141634030"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.33-1.13.5.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141634034"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.33-1.13.5.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141634032"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.33-1.13.5.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141634033"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.33-1.13.5.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141634031"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141635" version="601">
<metadata>
<title>RHSA-2014:1635: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1635-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1635.html" source="RHSA"/>
<reference ref_id="CVE-2014-1574" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1574.html" source="CVE"/>
<reference ref_id="CVE-2014-1576" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1576.html" source="CVE"/>
<reference ref_id="CVE-2014-1577" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1577.html" source="CVE"/>
<reference ref_id="CVE-2014-1578" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1578.html" source="CVE"/>
<reference ref_id="CVE-2014-1581" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1581.html" source="CVE"/>
<reference ref_id="CVE-2014-1583" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-1583.html" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2014-1574, CVE-2014-1578, CVE-2014-1581, CVE-2014-1576,
CVE-2014-1577)
A flaw was found in the Alarm API, which allows applications to schedule
actions to be run in the future. A malicious web application could use this
flaw to bypass cross-origin restrictions. (CVE-2014-1583)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bobby Holley, Christian Holler, David Bolter, Byron
Campen Jon Coppeard, Atte Kettunen, Holger Fuhrmannek, Abhishek Arya,
regenrecht, and Boris Zbarsky as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 31.2.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 31.2.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-14"/>
<updated date="2014-10-15"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1574.html">CVE-2014-1574</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1576.html">CVE-2014-1576</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1577.html">CVE-2014-1577</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1578.html">CVE-2014-1578</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1581.html">CVE-2014-1581</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-1583.html">CVE-2014-1583</cve>
<bugzilla href="https://bugzilla.redhat.com/1152356" id="1152356">CVE-2014-1574 Mozilla: Miscellaneous memory safety hazards (rv:31.2) (MFSA 2014-74)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152358" id="1152358">CVE-2014-1576 Mozilla: Buffer overflow during CSS manipulation (MFSA 2014-75)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152359" id="1152359">CVE-2014-1577 Mozilla: Web Audio memory corruption issues with custom waveforms (MFSA 2014-76)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152361" id="1152361">CVE-2014-1578 Mozilla: Out-of-bounds write with WebM video (MFSA 2014-77)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152363" id="1152363">CVE-2014-1581 Mozilla: Use-after-free interacting with text directionality (MFSA 2014-79)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152683" id="1152683">CVE-2014-1583 Mozilla: Accessing cross-origin objects via the Alarms API (MFSA 2014-82)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:31.2.0-3.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141635002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:31.2.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141635008"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:31.2.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141635010"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.2.0-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141635012"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.2.0-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141635018"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141652" version="601">
<metadata>
<title>RHSA-2014:1652: openssl security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1652-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1652.html" source="RHSA"/>
<reference ref_id="CVE-2014-3513" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3513.html" source="CVE"/>
<reference ref_id="CVE-2014-3567" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3567.html" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails.
This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle
attack when using block cipher suites in cipher block chaining (CBC) mode.
This issue is identified as CVE-2014-3566, and also known under the alias
POODLE. This SSL 3.0 protocol flaw will not be addressed in a future
update; it is recommended that users configure their applications to
require at least TLS protocol version 1.0 for secure communication.
For additional information about this flaw, see the Knowledgebase article
at https://access.redhat.com/articles/1232123
A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure
Real-time Transport Protocol (SRTP) extension data. A remote attacker could
send multiple specially crafted handshake messages to exhaust all available
memory of an SSL/TLS or DTLS server. (CVE-2014-3513)
A memory leak flaw was found in the way an OpenSSL handled failed session
ticket integrity checks. A remote attacker could exhaust all available
memory of an SSL/TLS or DTLS server by sending a large number of invalid
session tickets to that server. (CVE-2014-3567)
All OpenSSL users are advised to upgrade to these updated packages, which
contain backported patches to mitigate the CVE-2014-3566 issue and correct
the CVE-2014-3513 and CVE-2014-3567 issues. For the update to take effect,
all services linked to the OpenSSL library (such as httpd and other
SSL-enabled services) must be restarted or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-16"/>
<updated date="2014-10-16"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3513.html">CVE-2014-3513</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3567.html">CVE-2014-3567</cve>
<bugzilla href="https://bugzilla.redhat.com/1152789" id="1152789">CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152953" id="1152953">CVE-2014-3513 openssl: SRTP memory leak causes crash when using specially-crafted handshake message</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152961" id="1152961">CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-34.el7_0.6" test_ref="oval:com.redhat.rhsa:tst:20141652005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.6" test_ref="oval:com.redhat.rhsa:tst:20141652007"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.6" test_ref="oval:com.redhat.rhsa:tst:20141652011"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.6" test_ref="oval:com.redhat.rhsa:tst:20141652009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.6" test_ref="oval:com.redhat.rhsa:tst:20141652013"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-30.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20141652019"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20141652022"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20141652020"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20141652021"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141655" version="601">
<metadata>
<title>RHSA-2014:1655: libxml2 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2014:1655-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1655.html" source="RHSA"/>
<reference ref_id="CVE-2014-3660" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3660.html" source="CVE"/>
<description>The libxml2 library is a development toolbox providing the implementation
of various XML standards.
A denial of service flaw was found in libxml2, a library providing support
to read, modify and write XML and HTML files. A remote attacker could
provide a specially crafted XML file that, when processed by an application
using libxml2, would lead to excessive CPU consumption (denial of service)
based on excessive entity substitutions, even if entity substitution was
disabled, which is the parser default behavior. (CVE-2014-3660)
All libxml2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The desktop must be
restarted (log out, then log back in) for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-16"/>
<updated date="2014-10-16"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3660.html">CVE-2014-3660</cve>
<bugzilla href="https://bugzilla.redhat.com/1149084" id="1149084">CVE-2014-3660 libxml2: denial of service via recursive entity expansion</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libxml2 is earlier than 0:2.9.1-5.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141655005"/>
<criterion comment="libxml2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-devel is earlier than 0:2.9.1-5.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141655007"/>
<criterion comment="libxml2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-python is earlier than 0:2.9.1-5.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141655011"/>
<criterion comment="libxml2-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-static is earlier than 0:2.9.1-5.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141655009"/>
<criterion comment="libxml2-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655010"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libxml2 is earlier than 0:2.7.6-17.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141655017"/>
<criterion comment="libxml2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-devel is earlier than 0:2.7.6-17.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141655019"/>
<criterion comment="libxml2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-python is earlier than 0:2.7.6-17.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141655020"/>
<criterion comment="libxml2-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-static is earlier than 0:2.7.6-17.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141655018"/>
<criterion comment="libxml2-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655010"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141669" version="602">
<metadata>
<title>RHSA-2014:1669: qemu-kvm security and bug fix update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1669-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1669.html" source="RHSA"/>
<reference ref_id="CVE-2014-3615" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-3615.html" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
An information leak flaw was found in the way QEMU's VGA emulator accessed
frame buffer memory for high resolution displays. A privileged guest user
could use this flaw to leak memory contents of the host to the guest by
setting the display to use a high resolution in the guest. (CVE-2014-3615)
This issue was discovered by Laszlo Ersek of Red Hat.
This update also fixes the following bug:
* This update fixes a regression in the scsi_block_new_request() function,
which caused all read requests to through SG_IO if the host cache was not
used. (BZ#1141189)
All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-20"/>
<updated date="2014-10-20"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-3615.html">CVE-2014-3615</cve>
<bugzilla href="https://bugzilla.redhat.com/1139115" id="1139115">CVE-2014-3615 Qemu: information leakage when guest sets high resolution</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669009"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669015"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669007"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669011"/>
<criterion comment="qemu-guest-agent is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704012"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669013"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669005"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669017"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.10" test_ref="oval:com.redhat.rhsa:tst:20141669019"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141676" version="601">
<metadata>
<title>RHSA-2014:1676: wireshark security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1676-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1676.html" source="RHSA"/>
<reference ref_id="CVE-2014-6421" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6421.html" source="CVE"/>
<reference ref_id="CVE-2014-6422" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6422.html" source="CVE"/>
<reference ref_id="CVE-2014-6423" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6423.html" source="CVE"/>
<reference ref_id="CVE-2014-6424" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6424.html" source="CVE"/>
<reference ref_id="CVE-2014-6425" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6425.html" source="CVE"/>
<reference ref_id="CVE-2014-6426" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6426.html" source="CVE"/>
<reference ref_id="CVE-2014-6427" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6427.html" source="CVE"/>
<reference ref_id="CVE-2014-6428" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6428.html" source="CVE"/>
<reference ref_id="CVE-2014-6429" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6429.html" source="CVE"/>
<reference ref_id="CVE-2014-6430" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6430.html" source="CVE"/>
<reference ref_id="CVE-2014-6431" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6431.html" source="CVE"/>
<reference ref_id="CVE-2014-6432" ref_url="https://www.redhat.com/security/data/cve/CVE-2014-6432.html" source="CVE"/>
<description>Wireshark is a network protocol analyzer. It is used to capture and browse
the traffic running on a computer network.
Multiple flaws were found in Wireshark. If Wireshark read a malformed
packet off a network or opened a malicious dump file, it could crash or,
possibly, execute arbitrary code as the user running Wireshark.
(CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432)
Several denial of service flaws were found in Wireshark. Wireshark could
crash or stop responding if it read a malformed packet off a network, or
opened a malicious dump file. (CVE-2014-6421, CVE-2014-6422, CVE-2014-6423,
CVE-2014-6424, CVE-2014-6425, CVE-2014-6426, CVE-2014-6427, CVE-2014-6428)
All wireshark users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. All running instances
of Wireshark must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-21"/>
<updated date="2014-10-21"/>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6421.html">CVE-2014-6421</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6422.html">CVE-2014-6422</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6423.html">CVE-2014-6423</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6424.html">CVE-2014-6424</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6425.html">CVE-2014-6425</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6426.html">CVE-2014-6426</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6427.html">CVE-2014-6427</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6428.html">CVE-2014-6428</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6429.html">CVE-2014-6429</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6430.html">CVE-2014-6430</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6431.html">CVE-2014-6431</cve>
<cve href="https://www.redhat.com/security/data/cve/CVE-2014-6432.html">CVE-2014-6432</cve>
<bugzilla href="https://bugzilla.redhat.com/1142602" id="1142602">CVE-2014-6429 CVE-2014-6430 CVE-2014-6431 CVE-2014-6432 wireshark: DOS Sniffer file parser flaw (wnpa-sec-2014-19)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142603" id="1142603">CVE-2014-6428 wireshark: SES dissector crash (wnpa-sec-2014-18)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142604" id="1142604">CVE-2014-6427 wireshark: RTSP dissector crash (wnpa-sec-2014-17)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142606" id="1142606">CVE-2014-6426 wireshark: HIP dissector infinite loop (wnpa-sec-2014-16)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142608" id="1142608">CVE-2014-6425 wireshark: CUPS dissector crash (wnpa-sec-2014-15)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142609" id="1142609">CVE-2014-6424 wireshark: Netflow dissector crash (wnpa-sec-2014-14)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142610" id="1142610">CVE-2014-6423 wireshark: MEGACO dissector infinite loop (wnpa-sec-2014-13)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142611" id="1142611">CVE-2014-6421 CVE-2014-6422 wireshark: RTP dissector crash (wnpa-sec-2014-12)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="wireshark is earlier than 0:1.10.3-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141676005"/>
<criterion comment="wireshark is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676006"/>
</criteria>
<criteria operator="AND">
<criterion comment="wireshark-devel is earlier than 0:1.10.3-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141676007"/>
<criterion comment="wireshark-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676008"/>
</criteria>
<criteria operator="AND">
<criterion comment="wireshark-gnome is earlier than 0:1.10.3-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141676009"/>
<criterion comment="wireshark-gnome is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676010"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="wireshark is earlier than 0:1.8.10-8.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141676015"/>
<criterion comment="wireshark is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676006"/>
</criteria>
<criteria operator="AND">
<criterion comment="wireshark-devel is earlier than 0:1.8.10-8.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141676017"/>
<criterion comment="wireshark-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676008"/>
</criteria>
<criteria operator="AND">
<criterion comment="wireshark-gnome is earlier than 0:1.8.10-8.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141676016"/>
<criterion comment="wireshark-gnome is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676010"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141724" version="601">
<metadata>
<title>RHSA-2014:1724: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1724-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1724.html" source="RHSA"/>
<reference ref_id="CVE-2014-3611" ref_url="https://access.redhat.com/security/cve/CVE-2014-3611" source="CVE"/>
<reference ref_id="CVE-2014-3645" ref_url="https://access.redhat.com/security/cve/CVE-2014-3645" source="CVE"/>
<reference ref_id="CVE-2014-3646" ref_url="https://access.redhat.com/security/cve/CVE-2014-3646" source="CVE"/>
<reference ref_id="CVE-2014-4653" ref_url="https://access.redhat.com/security/cve/CVE-2014-4653" source="CVE"/>
<reference ref_id="CVE-2014-5077" ref_url="https://access.redhat.com/security/cve/CVE-2014-5077" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security fixes:
* A race condition flaw was found in the way the Linux kernel's KVM
subsystem handled PIT (Programmable Interval Timer) emulation. A guest user
who has access to the PIT I/O ports could use this flaw to crash the host.
(CVE-2014-3611, Important)
* A NULL pointer dereference flaw was found in the way the Linux kernel's
Stream Control Transmission Protocol (SCTP) implementation handled
simultaneous connections between the same hosts. A remote attacker could
use this flaw to crash the system. (CVE-2014-5077, Important)
* It was found that the Linux kernel's KVM subsystem did not handle the VM
exits gracefully for the invept (Invalidate Translations Derived from EPT)
and invvpid (Invalidate Translations Based on VPID) instructions. On hosts
with an Intel processor and invept/invppid VM exit support, an unprivileged
guest user could use these instructions to crash the guest. (CVE-2014-3645,
CVE-2014-3646, Moderate)
* A use-after-free flaw was found in the way the Linux kernel's Advanced
Linux Sound Architecture (ALSA) implementation handled user controls. A
local, privileged user could use this flaw to crash the system.
(CVE-2014-4653, Moderate)
Red Hat would like to thank Lars Bull of Google for reporting
CVE-2014-3611, and the Advanced Threat Research team at Intel Security for
reporting CVE-2014-3645 and CVE-2014-3646.
Bug fixes:
* A known issue that could prevent Chelsio adapters using the cxgb4 driver
from being initialized on IBM POWER8 systems has been fixed. These
adapters can now be used on IBM POWER8 systems as expected. (BZ#1130548)
* When bringing a hot-added CPU online, the kernel did not initialize a
CPU mask properly, which could result in a kernel panic. This update
corrects the bug by ensuring that the CPU mask is properly initialized and
the correct NUMA node selected. (BZ#1134715)
* The kernel could fail to bring a CPU online if the hardware supported
both, the acpi-cpufreq and intel_pstate modules. This update ensures that
the acpi-cpufreq module is not loaded in the intel_pstate module is
loaded. (BZ#1134716)
* Due to a bug in the time accounting of the kernel scheduler, a divide
error could occur when hot adding a CPU. To fix this problem, the kernel
scheduler time accounting has been reworked. (BZ#1134717)
* The kernel did not handle exceptions caused by an invalid floating point
control (FPC) register, resulting in a kernel oops. This problem has been
fixed by placing the label to handle these exceptions to the correct place
in the code. (BZ#1138733)
* A previous change to the kernel for the PowerPC architecture changed
implementation of the compat_sys_sendfile() function. Consequently, the
64-bit sendfile() system call stopped working for files larger than 2 GB
on PowerPC. This update restores previous behavior of sendfile() on
PowerPC, and it again process files bigger than 2 GB as expected.
(BZ#1139126)
* Previously, the kernel scheduler could schedule a CPU topology update
even though the topology did not change. This could negatively affect the
CPU load balancing, cause degradation of the system performance, and
eventually result in a kernel oops. This problem has been fixed by
skipping the CPU topology update if the topology has not actually changed.
(BZ#1140300)
* Previously, recovery of a double-degraded RAID6 array could, under
certain circumstances, result in data corruption. This could happen
because the md driver was using an optimization that is safe to use only
for single-degraded arrays. This update ensures that this optimization is
skipped during the recovery of double-degraded RAID6 arrays. (BZ#1143850)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-28"/>
<updated date="2014-10-28"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3611">CVE-2014-3611</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3645">CVE-2014-3645</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3646">CVE-2014-3646</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4653">CVE-2014-4653</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5077">CVE-2014-5077</cve>
<bugzilla href="https://bugzilla.redhat.com/1113409" id="1113409">CVE-2014-4653 Kernel: ALSA: control: do not access controls outside of protected regions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122982" id="1122982">CVE-2014-5077 Kernel: net: SCTP: fix a NULL pointer dereference during INIT collisions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144825" id="1144825">CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144835" id="1144835">CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144878" id="1144878">CVE-2014-3611 kernel: kvm: PIT timer race condition</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724031"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724021"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724009"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724023"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724033"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724027"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724029"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724017"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724011"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724013"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724015"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.9.2.el7" test_ref="oval:com.redhat.rhsa:tst:20141724019"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141764" version="601">
<metadata>
<title>RHSA-2014:1764: wget security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2014:1764-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1764.html" source="RHSA"/>
<reference ref_id="CVE-2014-4877" ref_url="https://access.redhat.com/security/cve/CVE-2014-4877" source="CVE"/>
<description>The wget package provides the GNU Wget file retrieval utility for HTTP,
HTTPS, and FTP protocols.
A flaw was found in the way Wget handled symbolic links. A malicious FTP
server could allow Wget running in the mirror mode (using the '-m' command
line option) to write an arbitrary file to a location writable to by the
user running Wget, possibly leading to code execution. (CVE-2014-4877)
Note: This update changes the default value of the --retr-symlinks option.
The file symbolic links are now traversed by default and pointed-to files
are retrieved rather than creating a symbolic link locally.
Red Hat would like to thank the GNU Wget project for reporting this issue.
Upstream acknowledges HD Moore of Rapid7, Inc as the original reporter.
All users of wget are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-30"/>
<updated date="2014-10-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4877">CVE-2014-4877</cve>
<bugzilla href="https://bugzilla.redhat.com/1139181" id="1139181">CVE-2014-4877 wget: FTP symlink arbitrary filesystem access</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="wget is earlier than 0:1.14-10.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141764005"/>
<criterion comment="wget is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141764006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="wget is earlier than 0:1.12-5.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141764011"/>
<criterion comment="wget is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141764006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141767" version="601">
<metadata>
<title>RHSA-2014:1767: php security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1767-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1767.html" source="RHSA"/>
<reference ref_id="CVE-2014-3668" ref_url="https://access.redhat.com/security/cve/CVE-2014-3668" source="CVE"/>
<reference ref_id="CVE-2014-3669" ref_url="https://access.redhat.com/security/cve/CVE-2014-3669" source="CVE"/>
<reference ref_id="CVE-2014-3670" ref_url="https://access.redhat.com/security/cve/CVE-2014-3670" source="CVE"/>
<reference ref_id="CVE-2014-3710" ref_url="https://access.redhat.com/security/cve/CVE-2014-3710" source="CVE"/>
<description>PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.
A buffer overflow flaw was found in the Exif extension. A specially crafted
JPEG or TIFF file could cause a PHP application using the exif_thumbnail()
function to crash or, possibly, execute arbitrary code with the privileges
of the user running that PHP application. (CVE-2014-3670)
An integer overflow flaw was found in the way custom objects were
unserialized. Specially crafted input processed by the unserialize()
function could cause a PHP application to crash. (CVE-2014-3669)
An out-of-bounds read flaw was found in the way the File Information
(fileinfo) extension parsed Executable and Linkable Format (ELF) files.
A remote attacker could use this flaw to crash a PHP application using
fileinfo via a specially crafted ELF file. (CVE-2014-3710)
An out of bounds read flaw was found in the way the xmlrpc extension parsed
dates in the ISO 8601 format. A specially crafted XML-RPC request or
response could possibly cause a PHP application to crash. (CVE-2014-3668)
The CVE-2014-3710 issue was discovered by Francisco Alonso of Red Hat
Product Security.
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-10-30"/>
<updated date="2014-10-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3668">CVE-2014-3668</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3669">CVE-2014-3669</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3670">CVE-2014-3670</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3710">CVE-2014-3710</cve>
<bugzilla href="https://bugzilla.redhat.com/1154500" id="1154500">CVE-2014-3669 php: integer overflow in unserialize()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1154502" id="1154502">CVE-2014-3670 php: heap corruption issue in exif_thumbnail()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1154503" id="1154503">CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155071" id="1155071">CVE-2014-3710 file: out-of-bounds read in elf note headers</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="php is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767005"/>
<criterion comment="php is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013006"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-bcmath is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767047"/>
<criterion comment="php-bcmath is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013010"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-cli is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767023"/>
<criterion comment="php-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013040"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-common is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767013"/>
<criterion comment="php-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013022"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-dba is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767031"/>
<criterion comment="php-dba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013046"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-devel is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767009"/>
<criterion comment="php-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013044"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-embedded is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767025"/>
<criterion comment="php-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013032"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-enchant is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767049"/>
<criterion comment="php-enchant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013052"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-fpm is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767033"/>
<criterion comment="php-fpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013054"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-gd is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767035"/>
<criterion comment="php-gd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013024"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-intl is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767011"/>
<criterion comment="php-intl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013012"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-ldap is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767019"/>
<criterion comment="php-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013016"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mbstring is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767045"/>
<criterion comment="php-mbstring is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013048"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysql is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767007"/>
<criterion comment="php-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013050"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysqlnd is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767029"/>
<criterion comment="php-mysqlnd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013028"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-odbc is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767017"/>
<criterion comment="php-odbc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013026"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pdo is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767015"/>
<criterion comment="php-pdo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013008"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pgsql is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767027"/>
<criterion comment="php-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013018"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-process is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767037"/>
<criterion comment="php-process is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013030"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pspell is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767021"/>
<criterion comment="php-pspell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013042"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-recode is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767051"/>
<criterion comment="php-recode is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013034"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-snmp is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767039"/>
<criterion comment="php-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013036"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-soap is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767053"/>
<criterion comment="php-soap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013014"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xml is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767043"/>
<criterion comment="php-xml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013020"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xmlrpc is earlier than 0:5.4.16-23.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141767041"/>
<criterion comment="php-xmlrpc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013038"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="php is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767059"/>
<criterion comment="php is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013006"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-bcmath is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767079"/>
<criterion comment="php-bcmath is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013010"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-cli is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767067"/>
<criterion comment="php-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013040"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-common is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767077"/>
<criterion comment="php-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013022"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-dba is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767070"/>
<criterion comment="php-dba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013046"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-devel is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767080"/>
<criterion comment="php-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013044"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-embedded is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767061"/>
<criterion comment="php-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013032"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-enchant is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767064"/>
<criterion comment="php-enchant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013052"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-fpm is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767082"/>
<criterion comment="php-fpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013054"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-gd is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767081"/>
<criterion comment="php-gd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013024"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-imap is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767083"/>
<criterion comment="php-imap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141767084"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-intl is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767075"/>
<criterion comment="php-intl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013012"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-ldap is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767076"/>
<criterion comment="php-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013016"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mbstring is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767078"/>
<criterion comment="php-mbstring is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013048"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysql is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767072"/>
<criterion comment="php-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013050"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-odbc is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767071"/>
<criterion comment="php-odbc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013026"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pdo is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767088"/>
<criterion comment="php-pdo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013008"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pgsql is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767074"/>
<criterion comment="php-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013018"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-process is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767073"/>
<criterion comment="php-process is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013030"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pspell is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767066"/>
<criterion comment="php-pspell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013042"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-recode is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767063"/>
<criterion comment="php-recode is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013034"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-snmp is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767085"/>
<criterion comment="php-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013036"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-soap is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767065"/>
<criterion comment="php-soap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013014"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-tidy is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767068"/>
<criterion comment="php-tidy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141767069"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xml is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767062"/>
<criterion comment="php-xml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013020"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xmlrpc is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767060"/>
<criterion comment="php-xmlrpc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013038"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-zts is earlier than 0:5.3.3-40.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141767086"/>
<criterion comment="php-zts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141767087"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141795" version="601">
<metadata>
<title>RHSA-2014:1795: cups-filters security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1795-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1795.html" source="RHSA"/>
<reference ref_id="CVE-2014-4337" ref_url="https://access.redhat.com/security/cve/CVE-2014-4337" source="CVE"/>
<reference ref_id="CVE-2014-4338" ref_url="https://access.redhat.com/security/cve/CVE-2014-4338" source="CVE"/>
<description>The cups-filters package contains backends, filters, and other software
that was once part of the core CUPS distribution but is now maintained
independently.
An out-of-bounds read flaw was found in the way the process_browse_data()
function of cups-browsed handled certain browse packets. A remote attacker
could send a specially crafted browse packet that, when processed by
cups-browsed, would crash the cups-browsed daemon. (CVE-2014-4337)
A flaw was found in the way the cups-browsed daemon interpreted the
"BrowseAllow" directive in the cups-browsed.conf file. An attacker able to
add a malformed "BrowseAllow" directive to the cups-browsed.conf file could
use this flaw to bypass intended access restrictions. (CVE-2014-4338)
All cups-filters users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. After installing
this update, the cups-browsed daemon will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-03"/>
<updated date="2014-11-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4337">CVE-2014-4337</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4338">CVE-2014-4338</cve>
<bugzilla href="https://bugzilla.redhat.com/1091568" id="1091568">CVE-2014-4338 cups-filters: unsupported BrowseAllow value lets cups-browsed accept from all hosts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1111510" id="1111510">CVE-2014-4337 cups-filters: cups-browsed DoS via process_browse_data() OOB read</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="cups-filters is earlier than 0:1.0.35-15.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141795005"/>
<criterion comment="cups-filters is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141795006"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-filters-devel is earlier than 0:1.0.35-15.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141795007"/>
<criterion comment="cups-filters-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141795008"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-filters-libs is earlier than 0:1.0.35-15.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141795009"/>
<criterion comment="cups-filters-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141795010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141801" version="601">
<metadata>
<title>RHSA-2014:1801: shim security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1801-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1801.html" source="RHSA"/>
<reference ref_id="CVE-2014-3675" ref_url="https://access.redhat.com/security/cve/CVE-2014-3675" source="CVE"/>
<reference ref_id="CVE-2014-3676" ref_url="https://access.redhat.com/security/cve/CVE-2014-3676" source="CVE"/>
<reference ref_id="CVE-2014-3677" ref_url="https://access.redhat.com/security/cve/CVE-2014-3677" source="CVE"/>
<description>Shim is the initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments.
A heap-based buffer overflow flaw was found the way shim parsed certain
IPv6 addresses. If IPv6 network booting was enabled, a malicious server
could supply a crafted IPv6 address that would cause shim to crash or,
potentially, execute arbitrary code. (CVE-2014-3676)
An out-of-bounds memory write flaw was found in the way shim processed
certain Machine Owner Keys (MOKs). A local attacker could potentially use
this flaw to execute arbitrary code on the system. (CVE-2014-3677)
An out-of-bounds memory read flaw was found in the way shim parsed certain
IPv6 packets. A specially crafted DHCPv6 packet could possibly cause shim
to crash, preventing the system from booting if IPv6 booting was enabled.
(CVE-2014-3675)
Red Hat would like to thank the SUSE Security Team for reporting these
issues.
All shim users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-04"/>
<updated date="2014-11-04"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3675">CVE-2014-3675</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3676">CVE-2014-3676</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3677">CVE-2014-3677</cve>
<bugzilla href="https://bugzilla.redhat.com/1148230" id="1148230">CVE-2014-3675 shim: out-of-bounds memory read flaw in DHCPv6 packet processing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1148231" id="1148231">CVE-2014-3676 shim: heap-based buffer overflow flaw in IPv6 address parsing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1148232" id="1148232">CVE-2014-3677 shim: memory corruption flaw when processing Machine Owner Keys (MOKs)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mokutil is earlier than 0:0.7-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141801007"/>
<criterion comment="mokutil is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141801008"/>
</criteria>
<criteria operator="AND">
<criterion comment="shim is earlier than 0:0.7-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141801005"/>
<criterion comment="shim is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141801006"/>
</criteria>
<criteria operator="AND">
<criterion comment="shim-unsigned is earlier than 0:0.7-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141801009"/>
<criterion comment="shim-unsigned is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141801010"/>
</criteria>
<criteria operator="AND">
<criterion comment="shim is earlier than 0:0.7-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141801005"/>
<criterion comment="shim is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141801006"/>
</criteria>
<criteria operator="AND">
<criterion comment="shim-signed is earlier than 0:0.7-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141801011"/>
<criterion comment="shim-signed is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141801012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141826" version="601">
<metadata>
<title>RHSA-2014:1826: libvncserver security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1826-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1826.html" source="RHSA"/>
<reference ref_id="CVE-2014-6051" ref_url="https://access.redhat.com/security/cve/CVE-2014-6051" source="CVE"/>
<reference ref_id="CVE-2014-6052" ref_url="https://access.redhat.com/security/cve/CVE-2014-6052" source="CVE"/>
<reference ref_id="CVE-2014-6053" ref_url="https://access.redhat.com/security/cve/CVE-2014-6053" source="CVE"/>
<reference ref_id="CVE-2014-6054" ref_url="https://access.redhat.com/security/cve/CVE-2014-6054" source="CVE"/>
<reference ref_id="CVE-2014-6055" ref_url="https://access.redhat.com/security/cve/CVE-2014-6055" source="CVE"/>
<description>LibVNCServer is a library that allows for easy creation of VNC server or
client functionality.
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way screen sizes were handled by LibVNCServer. A malicious VNC
server could use this flaw to cause a client to crash or, potentially,
execute arbitrary code in the client. (CVE-2014-6051)
A NULL pointer dereference flaw was found in LibVNCServer's framebuffer
setup. A malicious VNC server could use this flaw to cause a VNC client to
crash. (CVE-2014-6052)
A NULL pointer dereference flaw was found in the way LibVNCServer handled
certain ClientCutText message. A remote attacker could use this flaw to
crash the VNC server by sending a specially crafted ClientCutText message
from a VNC client. (CVE-2014-6053)
A divide-by-zero flaw was found in the way LibVNCServer handled the scaling
factor when it was set to "0". A remote attacker could use this flaw to
crash the VNC server using a malicious VNC client. (CVE-2014-6054)
Two stack-based buffer overflow flaws were found in the way LibVNCServer
handled file transfers. A remote attacker could use this flaw to crash the
VNC server using a malicious VNC client. (CVE-2014-6055)
Red Hat would like to thank oCERT for reporting these issues. oCERT
acknowledges Nicolas Ruff as the original reporter.
All libvncserver users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. All running
applications linked against libvncserver must be restarted for this update
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-11"/>
<updated date="2014-11-11"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6051">CVE-2014-6051</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6052">CVE-2014-6052</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6053">CVE-2014-6053</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6054">CVE-2014-6054</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6055">CVE-2014-6055</cve>
<bugzilla href="https://bugzilla.redhat.com/1144287" id="1144287">CVE-2014-6051 libvncserver: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144288" id="1144288">CVE-2014-6052 libvncserver: NULL pointer dereference flaw in framebuffer setup</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144289" id="1144289">CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144291" id="1144291">CVE-2014-6054 libvncserver: server divide-by-zero flaw in scaling factor handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144293" id="1144293">CVE-2014-6055 libvncserver: server stacked-based buffer overflow flaws in file transfer handling</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libvncserver is earlier than 0:0.9.9-9.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141826005"/>
<criterion comment="libvncserver is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141826006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvncserver-devel is earlier than 0:0.9.9-9.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141826007"/>
<criterion comment="libvncserver-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141826008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libvncserver is earlier than 0:0.9.7-7.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141826013"/>
<criterion comment="libvncserver is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141826006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvncserver-devel is earlier than 0:0.9.7-7.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141826014"/>
<criterion comment="libvncserver-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141826008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141827" version="601">
<metadata>
<title>RHSA-2014:1827: kdenetwork security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1827-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1827.html" source="RHSA"/>
<reference ref_id="CVE-2014-6053" ref_url="https://access.redhat.com/security/cve/CVE-2014-6053" source="CVE"/>
<reference ref_id="CVE-2014-6054" ref_url="https://access.redhat.com/security/cve/CVE-2014-6054" source="CVE"/>
<reference ref_id="CVE-2014-6055" ref_url="https://access.redhat.com/security/cve/CVE-2014-6055" source="CVE"/>
<description>The kdenetwork packages contain networking applications for the K Desktop
Environment (KDE). Krfb Desktop Sharing, which is a part of the kdenetwork
package, is a server application that allows session sharing between users.
Krfb uses the LibVNCServer library.
A NULL pointer dereference flaw was found in the way LibVNCServer handled
certain ClientCutText message. A remote attacker could use this flaw to
crash the VNC server by sending a specially crafted ClientCutText message
from a VNC client. (CVE-2014-6053)
A divide-by-zero flaw was found in the way LibVNCServer handled the scaling
factor when it was set to "0". A remote attacker could use this flaw to
crash the VNC server using a malicious VNC client. (CVE-2014-6054)
Two stack-based buffer overflow flaws were found in the way LibVNCServer
handled file transfers. A remote attacker could use this flaw to crash the
VNC server using a malicious VNC client. (CVE-2014-6055)
Red Hat would like to thank oCERT for reporting these issues. oCERT
acknowledges Nicolas Ruff as the original reporter.
Note: Prior to this update, the kdenetwork packages used an embedded copy
of the LibVNCServer library. With this update, the kdenetwork packages have
been modified to use the system LibVNCServer packages. Therefore, the
update provided by RHSA-2014:1826 must be installed to fully address the
issues in krfb described above.
All kdenetwork users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. All running
instances of the krfb server must be restarted for this update to take
effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-11"/>
<updated date="2014-11-11"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6053">CVE-2014-6053</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6054">CVE-2014-6054</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6055">CVE-2014-6055</cve>
<bugzilla href="https://bugzilla.redhat.com/1144289" id="1144289">CVE-2014-6053 libvncserver: server NULL pointer dereference flaw in ClientCutText message handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144291" id="1144291">CVE-2014-6054 libvncserver: server divide-by-zero flaw in scaling factor handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144293" id="1144293">CVE-2014-6055 libvncserver: server stacked-based buffer overflow flaws in file transfer handling</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kdenetwork is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827005"/>
<criterion comment="kdenetwork is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-common is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827013"/>
<criterion comment="kdenetwork-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-devel is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827019"/>
<criterion comment="kdenetwork-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827020"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-fileshare-samba is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827031"/>
<criterion comment="kdenetwork-fileshare-samba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-kdnssd is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827015"/>
<criterion comment="kdenetwork-kdnssd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-kget is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827017"/>
<criterion comment="kdenetwork-kget is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-kget-libs is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827007"/>
<criterion comment="kdenetwork-kget-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-kopete is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827025"/>
<criterion comment="kdenetwork-kopete is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-kopete-devel is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827033"/>
<criterion comment="kdenetwork-kopete-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-kopete-libs is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827023"/>
<criterion comment="kdenetwork-kopete-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-krdc is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827011"/>
<criterion comment="kdenetwork-krdc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-krdc-devel is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827021"/>
<criterion comment="kdenetwork-krdc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-krdc-libs is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827027"/>
<criterion comment="kdenetwork-krdc-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-krfb is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827029"/>
<criterion comment="kdenetwork-krfb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kdenetwork-krfb-libs is earlier than 7:4.10.5-8.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141827009"/>
<criterion comment="kdenetwork-krfb-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141827010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141846" version="601">
<metadata>
<title>RHSA-2014:1846: gnutls security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1846-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1846.html" source="RHSA"/>
<reference ref_id="CVE-2014-8564" ref_url="https://access.redhat.com/security/cve/CVE-2014-8564" source="CVE"/>
<description>The GnuTLS library provides support for cryptographic algorithms and for
protocols such as Transport Layer Security (TLS). The gnutls packages also
include the libtasn1 library, which provides Abstract Syntax Notation One
(ASN.1) parsing and structures management, and Distinguished Encoding Rules
(DER) encoding and decoding functions.
An out-of-bounds memory write flaw was found in the way GnuTLS parsed
certain ECC (Elliptic Curve Cryptography) certificates or certificate
signing requests (CSR). A malicious user could create a specially crafted
ECC certificate or a certificate signing request that, when processed by an
application compiled against GnuTLS (for example, certtool), could cause
that application to crash or execute arbitrary code with the permissions of
the user running the application. (CVE-2014-8564)
Red Hat would like to thank GnuTLS upstream for reporting this issue.
Upstream acknowledges Sean Burford as the original reporter.
All gnutls users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all applications linked to the GnuTLS or libtasn1 library must
be restarted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-12"/>
<updated date="2014-11-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8564">CVE-2014-8564</cve>
<bugzilla href="https://bugzilla.redhat.com/1161443" id="1161443">CVE-2014-8564 gnutls: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="gnutls is earlier than 0:3.1.18-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141846005"/>
<criterion comment="gnutls is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684006"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-c++ is earlier than 0:3.1.18-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141846011"/>
<criterion comment="gnutls-c++ is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684010"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-dane is earlier than 0:3.1.18-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141846013"/>
<criterion comment="gnutls-dane is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684008"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-devel is earlier than 0:3.1.18-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141846009"/>
<criterion comment="gnutls-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684014"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-utils is earlier than 0:3.1.18-10.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141846007"/>
<criterion comment="gnutls-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141861" version="602">
<metadata>
<title>RHSA-2014:1861: mariadb security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1861-01" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1861.html" source="RHSA"/>
<reference ref_id="CVE-2012-5615" ref_url="https://access.redhat.com/security/cve/CVE-2012-5615" source="CVE"/>
<reference ref_id="CVE-2014-2494" ref_url="https://access.redhat.com/security/cve/CVE-2014-2494" source="CVE"/>
<reference ref_id="CVE-2014-4207" ref_url="https://access.redhat.com/security/cve/CVE-2014-4207" source="CVE"/>
<reference ref_id="CVE-2014-4243" ref_url="https://access.redhat.com/security/cve/CVE-2014-4243" source="CVE"/>
<reference ref_id="CVE-2014-4258" ref_url="https://access.redhat.com/security/cve/CVE-2014-4258" source="CVE"/>
<reference ref_id="CVE-2014-4260" ref_url="https://access.redhat.com/security/cve/CVE-2014-4260" source="CVE"/>
<reference ref_id="CVE-2014-4274" ref_url="https://access.redhat.com/security/cve/CVE-2014-4274" source="CVE"/>
<reference ref_id="CVE-2014-4287" ref_url="https://access.redhat.com/security/cve/CVE-2014-4287" source="CVE"/>
<reference ref_id="CVE-2014-6463" ref_url="https://access.redhat.com/security/cve/CVE-2014-6463" source="CVE"/>
<reference ref_id="CVE-2014-6464" ref_url="https://access.redhat.com/security/cve/CVE-2014-6464" source="CVE"/>
<reference ref_id="CVE-2014-6469" ref_url="https://access.redhat.com/security/cve/CVE-2014-6469" source="CVE"/>
<reference ref_id="CVE-2014-6484" ref_url="https://access.redhat.com/security/cve/CVE-2014-6484" source="CVE"/>
<reference ref_id="CVE-2014-6505" ref_url="https://access.redhat.com/security/cve/CVE-2014-6505" source="CVE"/>
<reference ref_id="CVE-2014-6507" ref_url="https://access.redhat.com/security/cve/CVE-2014-6507" source="CVE"/>
<reference ref_id="CVE-2014-6520" ref_url="https://access.redhat.com/security/cve/CVE-2014-6520" source="CVE"/>
<reference ref_id="CVE-2014-6530" ref_url="https://access.redhat.com/security/cve/CVE-2014-6530" source="CVE"/>
<reference ref_id="CVE-2014-6551" ref_url="https://access.redhat.com/security/cve/CVE-2014-6551" source="CVE"/>
<reference ref_id="CVE-2014-6555" ref_url="https://access.redhat.com/security/cve/CVE-2014-6555" source="CVE"/>
<reference ref_id="CVE-2014-6559" ref_url="https://access.redhat.com/security/cve/CVE-2014-6559" source="CVE"/>
<description>MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL.
This update fixes several vulnerabilities in the MariaDB database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory page, listed in the References section. (CVE-2014-2494,
CVE-2014-4207, CVE-2014-4243, CVE-2014-4258, CVE-2014-4260, CVE-2014-4287,
CVE-2014-4274, CVE-2014-6463, CVE-2014-6464, CVE-2014-6469, CVE-2014-6484,
CVE-2014-6505, CVE-2014-6507, CVE-2014-6520, CVE-2014-6530, CVE-2014-6551,
CVE-2014-6555, CVE-2014-6559)
These updated packages upgrade MariaDB to version 5.5.40. Refer to the
MariaDB Release Notes listed in the References section for a complete list
of changes.
All MariaDB users should upgrade to these updated packages, which correct
these issues. After installing this update, the MariaDB server daemon
(mysqld) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-17"/>
<updated date="2014-11-17"/>
<cve href="https://access.redhat.com/security/cve/CVE-2012-5615">CVE-2012-5615</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2494">CVE-2014-2494</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4207">CVE-2014-4207</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4243">CVE-2014-4243</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4258">CVE-2014-4258</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4260">CVE-2014-4260</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4274">CVE-2014-4274</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4287">CVE-2014-4287</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6463">CVE-2014-6463</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6464">CVE-2014-6464</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6469">CVE-2014-6469</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6484">CVE-2014-6484</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6505">CVE-2014-6505</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6507">CVE-2014-6507</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6520">CVE-2014-6520</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6530">CVE-2014-6530</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6551">CVE-2014-6551</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6555">CVE-2014-6555</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6559">CVE-2014-6559</cve>
<bugzilla href="https://bugzilla.redhat.com/1120382" id="1120382">CVE-2014-2494 mysql: unspecified vulnerability related to ENARC (CPU July 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120383" id="1120383">CVE-2014-4207 mysql: unspecified vulnerability related to SROPTZR (CPU July 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120385" id="1120385">CVE-2014-4243 mysql: unspecified vulnerability related to ENFED (CPU July 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120387" id="1120387">CVE-2014-4258 mysql: unspecified vulnerability related to SRINFOSC (CPU July 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120388" id="1120388">CVE-2014-4260 mysql: unspecified vulnerability related to SRCHAR (CPU July 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126271" id="1126271">CVE-2014-4274 mysql: unspecified MyISAM temporary file issue fixed in 5.5.39 and 5.6.20</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153461" id="1153461">CVE-2014-4287 mysql: unspecified vulnerability related to SERVER:CHARACTER SETS (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153462" id="1153462">CVE-2014-6463 mysql: unspecified vulnerability related to SERVER:REPLICATION ROW FORMAT BINARY LOG DML (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153463" id="1153463">CVE-2014-6464 mysql: unspecified vulnerability related to SERVER:INNODB DML FOREIGN KEYS (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153464" id="1153464">CVE-2014-6469 mysql: unspecified vulnerability related to SERVER:OPTIMIZER (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153467" id="1153467">CVE-2014-6484 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153489" id="1153489">CVE-2014-6505 mysql: unspecified vulnerability related to SERVER:MEMORY STORAGE ENGINE (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153490" id="1153490">CVE-2014-6507 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153491" id="1153491">CVE-2014-6520 mysql: unspecified vulnerability related to SERVER:DDL (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153493" id="1153493">CVE-2014-6530 mysql: unspecified vulnerability related to CLIENT:MYSQLDUMP (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153494" id="1153494">CVE-2014-6551 mysql: unspecified vulnerability related to CLIENT:MYSQLADMIN (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153495" id="1153495">CVE-2014-6555 mysql: unspecified vulnerability related to SERVER:DML (CPU October 2014)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153496" id="1153496">CVE-2014-6559 mysql: unspecified vulnerability related to C API SSL CERTIFICATE HANDLING (CPU October 2014)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mariadb is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861005"/>
<criterion comment="mariadb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702006"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-bench is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861019"/>
<criterion comment="mariadb-bench is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-devel is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861015"/>
<criterion comment="mariadb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702018"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861007"/>
<criterion comment="mariadb-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702014"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded-devel is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861009"/>
<criterion comment="mariadb-embedded-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-libs is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861013"/>
<criterion comment="mariadb-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-server is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861011"/>
<criterion comment="mariadb-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702020"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-test is earlier than 1:5.5.40-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141861017"/>
<criterion comment="mariadb-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141870" version="601">
<metadata>
<title>RHSA-2014:1870: libXfont security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1870-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1870.html" source="RHSA"/>
<reference ref_id="CVE-2014-0209" ref_url="https://access.redhat.com/security/cve/CVE-2014-0209" source="CVE"/>
<reference ref_id="CVE-2014-0210" ref_url="https://access.redhat.com/security/cve/CVE-2014-0210" source="CVE"/>
<reference ref_id="CVE-2014-0211" ref_url="https://access.redhat.com/security/cve/CVE-2014-0211" source="CVE"/>
<description>The libXfont packages provide the X.Org libXfont runtime library. X.Org is
an open source implementation of the X Window System.
A use-after-free flaw was found in the way libXfont processed certain font
files when attempting to add a new directory to the font path. A malicious,
local user could exploit this issue to potentially execute arbitrary code
with the privileges of the X.Org server. (CVE-2014-0209)
Multiple out-of-bounds write flaws were found in the way libXfont parsed
replies received from an X.org font server. A malicious X.org server could
cause an X client to crash or, possibly, execute arbitrary code with the
privileges of the X.Org server. (CVE-2014-0210, CVE-2014-0211)
Red Hat would like to thank the X.org project for reporting these issues.
Upstream acknowledges Ilja van Sprundel as the original reporter.
Users of libXfont should upgrade to these updated packages, which contain a
backported patch to resolve this issue. All running X.Org server instances
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-18"/>
<updated date="2014-11-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0209">CVE-2014-0209</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0210">CVE-2014-0210</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0211">CVE-2014-0211</cve>
<bugzilla href="https://bugzilla.redhat.com/1096593" id="1096593">CVE-2014-0209 libXfont: integer overflow of allocations in font metadata file parsing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1096597" id="1096597">CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1096601" id="1096601">CVE-2014-0211 libXfont: integer overflows calculating memory needs for xfs replies</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libXfont is earlier than 0:1.4.7-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141870005"/>
<criterion comment="libXfont is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libXfont-devel is earlier than 0:1.4.7-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141870007"/>
<criterion comment="libXfont-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libXfont is earlier than 0:1.4.5-4.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141870013"/>
<criterion comment="libXfont is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libXfont-devel is earlier than 0:1.4.5-4.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141870014"/>
<criterion comment="libXfont-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141912" version="601">
<metadata>
<title>RHSA-2014:1912: ruby security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1912-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1912.html" source="RHSA"/>
<reference ref_id="CVE-2014-4975" ref_url="https://access.redhat.com/security/cve/CVE-2014-4975" source="CVE"/>
<reference ref_id="CVE-2014-8080" ref_url="https://access.redhat.com/security/cve/CVE-2014-8080" source="CVE"/>
<reference ref_id="CVE-2014-8090" ref_url="https://access.redhat.com/security/cve/CVE-2014-8090" source="CVE"/>
<description>Ruby is an extensible, interpreted, object-oriented, scripting language.
It has features to process text files and to perform system management
tasks.
Multiple denial of service flaws were found in the way the Ruby REXML XML
parser performed expansion of parameter entities. A specially crafted XML
document could cause REXML to use an excessive amount of CPU and memory.
(CVE-2014-8080, CVE-2014-8090)
A stack-based buffer overflow was found in the implementation of the Ruby
Array pack() method. When performing base64 encoding, a single byte could
be written past the end of the buffer, possibly causing Ruby to crash.
(CVE-2014-4975)
The CVE-2014-8090 issue was discovered by Red Hat Product Security.
All ruby users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. All running instances
of Ruby need to be restarted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-11-26"/>
<updated date="2014-11-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4975">CVE-2014-4975</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8080">CVE-2014-8080</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8090">CVE-2014-8090</cve>
<bugzilla href="https://bugzilla.redhat.com/1118158" id="1118158">CVE-2014-4975 ruby: off-by-one stack-based buffer overflow in the encodes() function</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1157709" id="1157709">CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159927" id="1159927">CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ruby is earlier than 0:2.0.0.353-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912005"/>
<criterion comment="ruby is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ruby-devel is earlier than 0:2.0.0.353-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912009"/>
<criterion comment="ruby-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ruby-doc is earlier than 0:2.0.0.353-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912027"/>
<criterion comment="ruby-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912028"/>
</criteria>
<criteria operator="AND">
<criterion comment="ruby-irb is earlier than 0:2.0.0.353-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912015"/>
<criterion comment="ruby-irb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912016"/>
</criteria>
<criteria operator="AND">
<criterion comment="ruby-libs is earlier than 0:2.0.0.353-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912007"/>
<criterion comment="ruby-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912008"/>
</criteria>
<criteria operator="AND">
<criterion comment="ruby-tcltk is earlier than 0:2.0.0.353-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912029"/>
<criterion comment="ruby-tcltk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912030"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-bigdecimal is earlier than 0:1.2.0-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912019"/>
<criterion comment="rubygem-bigdecimal is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912020"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-io-console is earlier than 0:0.4.2-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912025"/>
<criterion comment="rubygem-io-console is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912026"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-json is earlier than 0:1.7.7-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912011"/>
<criterion comment="rubygem-json is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912012"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-minitest is earlier than 0:4.3.2-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912017"/>
<criterion comment="rubygem-minitest is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912018"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-psych is earlier than 0:2.0.0-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912033"/>
<criterion comment="rubygem-psych is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912034"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-rake is earlier than 0:0.9.6-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912031"/>
<criterion comment="rubygem-rake is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912032"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-rdoc is earlier than 0:4.0.0-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912023"/>
<criterion comment="rubygem-rdoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912024"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygems is earlier than 0:2.0.14-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912021"/>
<criterion comment="rubygems is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912022"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygems-devel is earlier than 0:2.0.14-22.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141912013"/>
<criterion comment="rubygems-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141912014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141919" version="601">
<metadata>
<title>RHSA-2014:1919: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1919-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1919.html" source="RHSA"/>
<reference ref_id="CVE-2014-1587" ref_url="https://access.redhat.com/security/cve/CVE-2014-1587" source="CVE"/>
<reference ref_id="CVE-2014-1590" ref_url="https://access.redhat.com/security/cve/CVE-2014-1590" source="CVE"/>
<reference ref_id="CVE-2014-1592" ref_url="https://access.redhat.com/security/cve/CVE-2014-1592" source="CVE"/>
<reference ref_id="CVE-2014-1593" ref_url="https://access.redhat.com/security/cve/CVE-2014-1593" source="CVE"/>
<reference ref_id="CVE-2014-1594" ref_url="https://access.redhat.com/security/cve/CVE-2014-1594" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2014-1587, CVE-2014-1590, CVE-2014-1592, CVE-2014-1593)
A flaw was found in the Alarm API, which could allow applications to
schedule actions to be run in the future. A malicious web application could
use this flaw to bypass the same-origin policy. (CVE-2014-1594)
This update disables SSL 3.0 support by default in Firefox. Details on how
to re-enable SSL 3.0 support are available at:
https://access.redhat.com/articles/1283153
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse
Ruderman, Max Jonas Werner, Joe Vennix, Berend-Jan Wever, Abhishek Arya,
and Boris Zbarsky as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 31.3.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 31.3.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-02"/>
<updated date="2014-12-02"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-1587">CVE-2014-1587</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-1590">CVE-2014-1590</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-1592">CVE-2014-1592</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-1593">CVE-2014-1593</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-1594">CVE-2014-1594</cve>
<bugzilla href="https://bugzilla.redhat.com/1169201" id="1169201">CVE-2014-1587 Mozilla: Miscellaneous memory safety hazards (rv:31.3) (MFSA 2014-83)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169206" id="1169206">CVE-2014-1590 Mozilla: XMLHttpRequest crashes with some input streams (MFSA 2014-85)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169208" id="1169208">CVE-2014-1592 Mozilla: Use-after-free during HTML5 parsing (MFSA 2014-87)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169209" id="1169209">CVE-2014-1593 Mozilla: Buffer overflow while parsing media content (MFSA 2014-88)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169210" id="1169210">CVE-2014-1594 Mozilla: Bad casting from the BasicThebesLayer to BasicContainerLayer (MFSA 2014-89)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:31.3.0-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141919002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.3.0-3.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141919008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.3.0-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141919014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141948" version="601">
<metadata>
<title>RHSA-2014:1948: nss, nss-util, and nss-softokn security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1948-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1948.html" source="RHSA"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities.
This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails.
This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle
attack when using block cipher suites in cipher block chaining (CBC) mode.
This issue is identified as CVE-2014-3566, and also known under the alias
POODLE. This SSL 3.0 protocol flaw will not be addressed in a future
update; it is recommended that users configure their applications to
require at least TLS protocol version 1.0 for secure communication.
For additional information about this flaw, see the Knowledgebase article
at https://access.redhat.com/articles/1232123
The nss, nss-util, and nss-softokn packages have been upgraded to upstream
version 3.16.2.3, which provides a number of bug fixes and enhancements
over the previous version, and adds the support for Mozilla Firefox 31.3.
(BZ#1158159, BZ#1165003, BZ#1165525)
Users of nss, nss-util, and nss-softokn are advised to upgrade to these
updated packages, which contain a backported patch to mitigate the
CVE-2014-3566 issue, fix these bugs, and add these enhancements. After
installing this update, applications using NSS or NSPR must be restarted
for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-02"/>
<updated date="2014-12-02"/>
<bugzilla href="https://bugzilla.redhat.com/1152789" id="1152789">CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158159" id="1158159">Upgrade to NSS 3.16.2.3 for Firefox 31.3 [rhel-5.11.z]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1165003" id="1165003">Upgrade to NSS 3.16.2.3 for Firefox 31.3 [rhel-6.6.Z]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1165525" id="1165525">Upgrade to NSS 3.16.2.3 for Firefox 31.3 [rhel-7.0.Z]</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.2.3-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141948002"/>
<criterion comment="nss is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916003"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.2.3-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141948008"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916005"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.2.3-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141948004"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916007"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.2.3-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20141948006"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140916009"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.16.2.3-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948014"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.16.2.3-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948016"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn is earlier than 0:3.16.2.3-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948018"/>
<criterion comment="nss-softokn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073010"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-devel is earlier than 0:3.16.2.3-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948020"/>
<criterion comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073014"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl is earlier than 0:3.16.2.3-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948024"/>
<criterion comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073016"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl-devel is earlier than 0:3.16.2.3-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948022"/>
<criterion comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073012"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.2.3-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948026"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.2.3-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948034"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.2.3-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948030"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.16.2.3-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948032"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.2.3-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141948028"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.16.2.3-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948040"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.16.2.3-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948041"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.16.2.3-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948042"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.16.2.3-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948044"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.16.2.3-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948043"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.16.2.3-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948045"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.16.2.3-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141948046"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141956" version="601">
<metadata>
<title>RHSA-2014:1956: wpa_supplicant security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1956-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1956.html" source="RHSA"/>
<reference ref_id="CVE-2014-3686" ref_url="https://access.redhat.com/security/cve/CVE-2014-3686" source="CVE"/>
<description>The wpa_supplicant package contains an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. It implements key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver.
A command injection flaw was found in the way the wpa_cli utility executed
action scripts. If wpa_cli was run in daemon mode to execute an action
script (specified using the -a command line option), and wpa_supplicant was
configured to connect to a P2P group, malicious P2P group parameters could
cause wpa_cli to execute arbitrary code. (CVE-2014-3686)
Red Hat would like to thank Jouni Malinen for reporting this issue.
All wpa_supplicant users are advised to upgrade to this updated package,
which contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-03"/>
<updated date="2014-12-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3686">CVE-2014-3686</cve>
<bugzilla href="https://bugzilla.redhat.com/1151259" id="1151259">CVE-2014-3686 wpa_supplicant and hostapd: wpa_cli and hostapd_cli remote command execution issue</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="wpa_supplicant is earlier than 1:2.0-13.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141956005"/>
<criterion comment="wpa_supplicant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141956006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141971" version="601">
<metadata>
<title>RHSA-2014:1971: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1971-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1971.html" source="RHSA"/>
<reference ref_id="CVE-2013-2929" ref_url="https://access.redhat.com/security/cve/CVE-2013-2929" source="CVE"/>
<reference ref_id="CVE-2014-1739" ref_url="https://access.redhat.com/security/cve/CVE-2014-1739" source="CVE"/>
<reference ref_id="CVE-2014-3181" ref_url="https://access.redhat.com/security/cve/CVE-2014-3181" source="CVE"/>
<reference ref_id="CVE-2014-3182" ref_url="https://access.redhat.com/security/cve/CVE-2014-3182" source="CVE"/>
<reference ref_id="CVE-2014-3184" ref_url="https://access.redhat.com/security/cve/CVE-2014-3184" source="CVE"/>
<reference ref_id="CVE-2014-3185" ref_url="https://access.redhat.com/security/cve/CVE-2014-3185" source="CVE"/>
<reference ref_id="CVE-2014-3186" ref_url="https://access.redhat.com/security/cve/CVE-2014-3186" source="CVE"/>
<reference ref_id="CVE-2014-3631" ref_url="https://access.redhat.com/security/cve/CVE-2014-3631" source="CVE"/>
<reference ref_id="CVE-2014-3673" ref_url="https://access.redhat.com/security/cve/CVE-2014-3673" source="CVE"/>
<reference ref_id="CVE-2014-3687" ref_url="https://access.redhat.com/security/cve/CVE-2014-3687" source="CVE"/>
<reference ref_id="CVE-2014-3688" ref_url="https://access.redhat.com/security/cve/CVE-2014-3688" source="CVE"/>
<reference ref_id="CVE-2014-4027" ref_url="https://access.redhat.com/security/cve/CVE-2014-4027" source="CVE"/>
<reference ref_id="CVE-2014-4652" ref_url="https://access.redhat.com/security/cve/CVE-2014-4652" source="CVE"/>
<reference ref_id="CVE-2014-4654" ref_url="https://access.redhat.com/security/cve/CVE-2014-4654" source="CVE"/>
<reference ref_id="CVE-2014-4655" ref_url="https://access.redhat.com/security/cve/CVE-2014-4655" source="CVE"/>
<reference ref_id="CVE-2014-4656" ref_url="https://access.redhat.com/security/cve/CVE-2014-4656" source="CVE"/>
<reference ref_id="CVE-2014-5045" ref_url="https://access.redhat.com/security/cve/CVE-2014-5045" source="CVE"/>
<reference ref_id="CVE-2014-6410" ref_url="https://access.redhat.com/security/cve/CVE-2014-6410" source="CVE"/>
<description>* A flaw was found in the way the Linux kernel's SCTP implementation
handled malformed or duplicate Address Configuration Change Chunks
(ASCONF). A remote attacker could use either of these flaws to crash the
system. (CVE-2014-3673, CVE-2014-3687, Important)
* A flaw was found in the way the Linux kernel's SCTP implementation
handled the association's output queue. A remote attacker could send
specially crafted packets that would cause the system to use an excessive
amount of memory, leading to a denial of service. (CVE-2014-3688,
Important)
* Two flaws were found in the way the Apple Magic Mouse/Trackpad
multi-touch driver and the Minibox PicoLCD driver handled invalid HID
reports. An attacker with physical access to the system could use these
flaws to crash the system or, potentially, escalate their privileges on the
system. (CVE-2014-3181, CVE-2014-3186, Moderate)
* A memory corruption flaw was found in the way the USB ConnectTech
WhiteHEAT serial driver processed completion commands sent via USB Request
Blocks buffers. An attacker with physical access to the system could use
this flaw to crash the system or, potentially, escalate their privileges on
the system. (CVE-2014-3185, Moderate)
* A flaw was found in the way the Linux kernel's keys subsystem handled the
termination condition in the associative array garbage collection
functionality. A local, unprivileged user could use this flaw to crash the
system. (CVE-2014-3631, Moderate)
* Multiple flaws were found in the way the Linux kernel's ALSA
implementation handled user controls. A local, privileged user could use
either of these flaws to crash the system. (CVE-2014-4654, CVE-2014-4655,
CVE-2014-4656, Moderate)
* A flaw was found in the way the Linux kernel's VFS subsystem handled
reference counting when performing unmount operations on symbolic links.
A local, unprivileged user could use this flaw to exhaust all available
memory on the system or, potentially, trigger a use-after-free error,
resulting in a system crash or privilege escalation. (CVE-2014-5045,
Moderate)
* A flaw was found in the way the get_dumpable() function return value was
interpreted in the ptrace subsystem of the Linux kernel. When
'fs.suid_dumpable' was set to 2, a local, unprivileged local user could
use this flaw to bypass intended ptrace restrictions and obtain
potentially sensitive information. (CVE-2013-2929, Low)
* A stack overflow flaw caused by infinite recursion was found in the way
the Linux kernel's UDF file system implementation processed indirect ICBs.
An attacker with physical access to the system could use a specially
crafted UDF image to crash the system. (CVE-2014-6410, Low)
* An information leak flaw in the way the Linux kernel handled media device
enumerate entities IOCTL requests could allow a local user able to access
the /dev/media0 device file to leak kernel memory bytes. (CVE-2014-1739,
Low)
* An out-of-bounds read flaw in the Logitech Unifying receiver driver could
allow an attacker with physical access to the system to crash the system
or, potentially, escalate their privileges on the system. (CVE-2014-3182,
Low)
* Multiple out-of-bounds write flaws were found in the way the Cherry
Cymotion keyboard driver, KYE/Genius device drivers, Logitech device
drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote
control driver, and Sunplus wireless desktop driver handled invalid HID
reports. An attacker with physical access to the system could use either of
these flaws to write data past an allocated memory buffer. (CVE-2014-3184,
Low)
* An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp)
back end driver of the iSCSI Target subsystem could allow a privileged user
to leak the contents of kernel memory to an iSCSI initiator remote client.
(CVE-2014-4027, Low)
* An information leak flaw in the Linux kernel's ALSA implementation could
allow a local, privileged user to leak kernel memory to user space.
(CVE-2014-4652, Low)</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-09"/>
<updated date="2014-12-09"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-2929">CVE-2013-2929</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-1739">CVE-2014-1739</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3181">CVE-2014-3181</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3182">CVE-2014-3182</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3184">CVE-2014-3184</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3185">CVE-2014-3185</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3186">CVE-2014-3186</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3631">CVE-2014-3631</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3673">CVE-2014-3673</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3687">CVE-2014-3687</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3688">CVE-2014-3688</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4027">CVE-2014-4027</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4652">CVE-2014-4652</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4654">CVE-2014-4654</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4655">CVE-2014-4655</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4656">CVE-2014-4656</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5045">CVE-2014-5045</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6410">CVE-2014-6410</cve>
<bugzilla href="https://bugzilla.redhat.com/1028148" id="1028148">CVE-2013-2929 kernel: exec/ptrace: get_dumpable() incorrect tests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108744" id="1108744">CVE-2014-4027 Kernel: target/rd: imformation leakage</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109774" id="1109774">CVE-2014-1739 Kernel: drivers: media: an information leakage</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113406" id="1113406">CVE-2014-4652 Kernel: ALSA: control: protect user controls against races & memory disclosure</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113445" id="1113445">CVE-2014-4654 CVE-2014-4655 Kernel: ALSA: control: use-after-free in replacing user controls</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113470" id="1113470">CVE-2014-4656 Kernel: ALSA: control: integer overflow in id.index & id.numid</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122472" id="1122472">CVE-2014-5045 kernel: vfs: refcount issues during unmount on symlink</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140325" id="1140325">CVE-2014-3631 kernel: keys: incorrect termination condition in assoc array garbage collection</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141173" id="1141173">CVE-2014-3181 Kernel: HID: OOB write in magicmouse driver</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141210" id="1141210">CVE-2014-3182 Kernel: HID: logitech-dj OOB array access</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141391" id="1141391">CVE-2014-3184 Kernel: HID: off by one error in various _report_fixup routines</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141400" id="1141400">CVE-2014-3185 Kernel: USB serial: memory corruption flaw</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141407" id="1141407">CVE-2014-3186 Kernel: HID: memory corruption via OOB write</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141809" id="1141809">CVE-2014-6410 kernel: udf: Avoid infinite loop when processing indirect ICBs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147850" id="1147850">CVE-2014-3673 kernel: sctp: skb_over_panic when receiving malformed ASCONF chunks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155731" id="1155731">CVE-2014-3687 kernel: net: sctp: fix panic on duplicate ASCONF chunks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155745" id="1155745">CVE-2014-3688 kernel: net: sctp: remote memory pressure from excessive queueing</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971013"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971015"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971021"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971011"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971023"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971019"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971009"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.13.1.el7" test_ref="oval:com.redhat.rhsa:tst:20141971017"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141976" version="601">
<metadata>
<title>RHSA-2014:1976: rpm security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:1976-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1976.html" source="RHSA"/>
<reference ref_id="CVE-2013-6435" ref_url="https://access.redhat.com/security/cve/CVE-2013-6435" source="CVE"/>
<reference ref_id="CVE-2014-8118" ref_url="https://access.redhat.com/security/cve/CVE-2014-8118" source="CVE"/>
<description>The RPM Package Manager (RPM) is a powerful command line driven package
management system capable of installing, uninstalling, verifying, querying,
and updating software packages. Each software package consists of an
archive of files along with information about the package such as its
version, description, and other information.
It was found that RPM wrote file contents to the target installation
directory under a temporary name, and verified its cryptographic signature
only after the temporary file has been written completely. Under certain
conditions, the system interprets the unverified temporary file contents
and extracts commands from it. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation. (CVE-2013-6435)
It was found that RPM could encounter an integer overflow, leading to a
stack-based buffer overflow, while parsing a crafted CPIO header in the
payload section of an RPM file. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation. (CVE-2014-8118)
These issues were discovered by Florian Weimer of Red Hat Product Security.
All rpm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. All running
applications linked against the RPM library must be restarted for this
update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-09"/>
<updated date="2014-12-09"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-6435">CVE-2013-6435</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8118">CVE-2014-8118</cve>
<bugzilla href="https://bugzilla.redhat.com/1039811" id="1039811">CVE-2013-6435 rpm: race condition during the installation process</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168715" id="1168715">CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="rpm is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976005"/>
<criterion comment="rpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976006"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-apidocs is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976021"/>
<criterion comment="rpm-apidocs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976022"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-build is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976011"/>
<criterion comment="rpm-build is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976012"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-build-libs is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976013"/>
<criterion comment="rpm-build-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976014"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-cron is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976009"/>
<criterion comment="rpm-cron is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976010"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-devel is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976015"/>
<criterion comment="rpm-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976016"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-libs is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976019"/>
<criterion comment="rpm-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976020"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-python is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976007"/>
<criterion comment="rpm-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976008"/>
</criteria>
<criteria operator="AND">
<criterion comment="rpm-sign is earlier than 0:4.11.1-18.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141976017"/>
<criterion comment="rpm-sign is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141976018"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141983" version="601">
<metadata>
<title>RHSA-2014:1983: xorg-x11-server security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2014:1983-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1983.html" source="RHSA"/>
<reference ref_id="CVE-2014-8091" ref_url="https://access.redhat.com/security/cve/CVE-2014-8091" source="CVE"/>
<reference ref_id="CVE-2014-8092" ref_url="https://access.redhat.com/security/cve/CVE-2014-8092" source="CVE"/>
<reference ref_id="CVE-2014-8093" ref_url="https://access.redhat.com/security/cve/CVE-2014-8093" source="CVE"/>
<reference ref_id="CVE-2014-8094" ref_url="https://access.redhat.com/security/cve/CVE-2014-8094" source="CVE"/>
<reference ref_id="CVE-2014-8095" ref_url="https://access.redhat.com/security/cve/CVE-2014-8095" source="CVE"/>
<reference ref_id="CVE-2014-8096" ref_url="https://access.redhat.com/security/cve/CVE-2014-8096" source="CVE"/>
<reference ref_id="CVE-2014-8097" ref_url="https://access.redhat.com/security/cve/CVE-2014-8097" source="CVE"/>
<reference ref_id="CVE-2014-8098" ref_url="https://access.redhat.com/security/cve/CVE-2014-8098" source="CVE"/>
<reference ref_id="CVE-2014-8099" ref_url="https://access.redhat.com/security/cve/CVE-2014-8099" source="CVE"/>
<reference ref_id="CVE-2014-8100" ref_url="https://access.redhat.com/security/cve/CVE-2014-8100" source="CVE"/>
<reference ref_id="CVE-2014-8101" ref_url="https://access.redhat.com/security/cve/CVE-2014-8101" source="CVE"/>
<reference ref_id="CVE-2014-8102" ref_url="https://access.redhat.com/security/cve/CVE-2014-8102" source="CVE"/>
<reference ref_id="CVE-2014-8103" ref_url="https://access.redhat.com/security/cve/CVE-2014-8103" source="CVE"/>
<description>X.Org is an open source implementation of the X Window System. It provides
the basic low-level functionality that full-fledged graphical user
interfaces are designed upon.
Multiple integer overflow flaws and out-of-bounds write flaws were found in
the way the X.Org server calculated memory requirements for certain X11
core protocol and GLX extension requests. A malicious, authenticated client
could use either of these flaws to crash the X.Org server or, potentially,
execute arbitrary code with root privileges. (CVE-2014-8092, CVE-2014-8093,
CVE-2014-8098)
It was found that the X.Org server did not properly handle SUN-DES-1
(Secure RPC) authentication credentials. A malicious, unauthenticated
client could use this flaw to crash the X.Org server by submitting a
specially crafted authentication request. (CVE-2014-8091)
Multiple out-of-bounds access flaws were found in the way the X.Org server
calculated memory requirements for certain requests. A malicious,
authenticated client could use either of these flaws to crash the X.Org
server, or leak memory contents to the client. (CVE-2014-8097)
An integer overflow flaw was found in the way the X.Org server calculated
memory requirements for certain DRI2 extension requests. A malicious,
authenticated client could use this flaw to crash the X.Org server.
(CVE-2014-8094)
Multiple out-of-bounds access flaws were found in the way the X.Org server
calculated memory requirements for certain requests. A malicious,
authenticated client could use either of these flaws to crash the X.Org
server. (CVE-2014-8095, CVE-2014-8096, CVE-2014-8099, CVE-2014-8100,
CVE-2014-8101, CVE-2014-8102, CVE-2014-8103)
All xorg-x11-server users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-11"/>
<updated date="2014-12-11"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8091">CVE-2014-8091</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8092">CVE-2014-8092</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8093">CVE-2014-8093</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8094">CVE-2014-8094</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8095">CVE-2014-8095</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8096">CVE-2014-8096</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8097">CVE-2014-8097</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8098">CVE-2014-8098</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8099">CVE-2014-8099</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8100">CVE-2014-8100</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8101">CVE-2014-8101</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8102">CVE-2014-8102</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8103">CVE-2014-8103</cve>
<bugzilla href="https://bugzilla.redhat.com/1168680" id="1168680">CVE-2014-8091 xorg-x11-server: denial of service due to unchecked malloc in client authentication</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168684" id="1168684">CVE-2014-8092 xorg-x11-server: integer overflow in X11 core protocol requests when calculating memory needs for requests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168688" id="1168688">CVE-2014-8093 xorg-x11-server: integer overflow in GLX extension requests when calculating memory needs for requests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168691" id="1168691">CVE-2014-8094 xorg-x11-server: integer overflow in DRI2 extension function ProcDRI2GetBuffers()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168694" id="1168694">CVE-2014-8095 xorg-x11-server: out of bounds access due to not validating length or offset values in XInput extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168700" id="1168700">CVE-2014-8096 xorg-x11-server: out of bounds access due to not validating length or offset values in XC-MISC extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168705" id="1168705">CVE-2014-8097 xorg-x11-server: out of bounds access due to not validating length or offset values in DBE extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168707" id="1168707">CVE-2014-8098 xorg-x11-server: out of bounds access due to not validating length or offset values in GLX extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168710" id="1168710">CVE-2014-8099 xorg-x11-server: out of bounds access due to not validating length or offset values in XVideo extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168711" id="1168711">CVE-2014-8100 xorg-x11-server: out of bounds access due to not validating length or offset values in Render extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168713" id="1168713">CVE-2014-8101 xorg-x11-server: out of bounds access due to not validating length or offset values in RandR extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168714" id="1168714">CVE-2014-8102 xorg-x11-server: out of bounds access due to not validating length or offset values in XFixes extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168716" id="1168716">CVE-2014-8103 xorg-x11-server: out of bounds access due to not validating length or offset values in DRI3 & Present extensions</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xorg-x11-server is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983005"/>
<criterion comment="xorg-x11-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983009"/>
<criterion comment="xorg-x11-server-Xdmx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983010"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983013"/>
<criterion comment="xorg-x11-server-Xephyr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983014"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983007"/>
<criterion comment="xorg-x11-server-Xnest is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983019"/>
<criterion comment="xorg-x11-server-Xorg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983020"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983017"/>
<criterion comment="xorg-x11-server-Xvfb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983018"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-common is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983015"/>
<criterion comment="xorg-x11-server-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-devel is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983021"/>
<criterion comment="xorg-x11-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983022"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-source is earlier than 0:1.15.0-7.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20141983011"/>
<criterion comment="xorg-x11-server-source is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xorg-x11-server is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983027"/>
<criterion comment="xorg-x11-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983031"/>
<criterion comment="xorg-x11-server-Xdmx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983010"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983033"/>
<criterion comment="xorg-x11-server-Xephyr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983014"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983034"/>
<criterion comment="xorg-x11-server-Xnest is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983029"/>
<criterion comment="xorg-x11-server-Xorg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983020"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983028"/>
<criterion comment="xorg-x11-server-Xvfb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983018"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-common is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983032"/>
<criterion comment="xorg-x11-server-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-devel is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983035"/>
<criterion comment="xorg-x11-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983022"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-source is earlier than 0:1.15.0-25.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141983030"/>
<criterion comment="xorg-x11-server-source is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141984" version="601">
<metadata>
<title>RHSA-2014:1984: bind security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2014:1984-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1984.html" source="RHSA"/>
<reference ref_id="CVE-2014-8500" ref_url="https://access.redhat.com/security/cve/CVE-2014-8500" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A denial of service flaw was found in the way BIND followed DNS
delegations. A remote attacker could use a specially crafted zone
containing a large number of referrals which, when looked up and processed,
would cause named to use excessive amounts of memory or crash.
(CVE-2014-8500)
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-12"/>
<updated date="2014-12-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8500">CVE-2014-8500</cve>
<bugzilla href="https://bugzilla.redhat.com/1171912" id="1171912">CVE-2014-8500 bind: delegation handling denial of service</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984002"/>
<criterion comment="bind is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984003"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984006"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984007"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984014"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984015"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984012"/>
<criterion comment="bind-libbind-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984013"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984010"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984011"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984004"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984005"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984008"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984009"/>
</criteria>
<criteria operator="AND">
<criterion comment="caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.2" test_ref="oval:com.redhat.rhsa:tst:20141984016"/>
<criterion comment="caching-nameserver is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984017"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984022"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984024"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984030"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984032"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984040"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984028"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984038"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984026"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984034"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-14.el7_0.1" test_ref="oval:com.redhat.rhsa:tst:20141984036"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.8.2-0.30.rc1.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141984046"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.8.2-0.30.rc1.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141984050"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.8.2-0.30.rc1.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141984048"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.8.2-0.30.rc1.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141984047"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.8.2-0.30.rc1.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141984049"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.8.2-0.30.rc1.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20141984051"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20141999" version="601">
<metadata>
<title>RHSA-2014:1999: mailx security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2014:1999-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-1999.html" source="RHSA"/>
<reference ref_id="CVE-2004-2771" ref_url="https://access.redhat.com/security/cve/CVE-2004-2771" source="CVE"/>
<reference ref_id="CVE-2014-7844" ref_url="https://access.redhat.com/security/cve/CVE-2014-7844" source="CVE"/>
<description>The mailx packages contain a mail user agent that is used to manage mail
using scripts.
A flaw was found in the way mailx handled the parsing of email addresses.
A syntactically valid email address could allow a local attacker to cause
mailx to execute arbitrary shell commands through shell meta-characters and
the direct command execution functionality. (CVE-2004-2771, CVE-2014-7844)
Note: Applications using mailx to send email to addresses obtained from
untrusted sources will still remain vulnerable to other attacks if they
accept email addresses which start with "-" (so that they can be confused
with mailx options). To counteract this issue, this update also introduces
the "--" option, which will treat the remaining command line arguments as
email addresses.
All mailx users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-16"/>
<updated date="2014-12-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2004-2771">CVE-2004-2771</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7844">CVE-2014-7844</cve>
<bugzilla href="https://bugzilla.redhat.com/1162783" id="1162783">CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mailx is earlier than 0:12.5-12.el7_0" test_ref="oval:com.redhat.rhsa:tst:20141999005"/>
<criterion comment="mailx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141999006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="mailx is earlier than 0:12.4-8.el6_6" test_ref="oval:com.redhat.rhsa:tst:20141999011"/>
<criterion comment="mailx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141999006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20142010" version="601">
<metadata>
<title>RHSA-2014:2010: kernel security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:2010-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-2010.html" source="RHSA"/>
<reference ref_id="CVE-2014-9322" ref_url="https://access.redhat.com/security/cve/CVE-2014-9322" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel handled GS segment register
base switching when recovering from a #SS (stack segment) fault on an
erroneous return to user space. A local, unprivileged user could use this
flaw to escalate their privileges on the system. (CVE-2014-9322, Important)
Red Hat would like to thank Andy Lutomirski for reporting this issue.
All kernel users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-18"/>
<updated date="2014-12-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9322">CVE-2014-9322</cve>
<bugzilla href="https://bugzilla.redhat.com/1172806" id="1172806">CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010031"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010021"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010017"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010015"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010033"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010019"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010011"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010023"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010013"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.13.2.el7" test_ref="oval:com.redhat.rhsa:tst:20142010009"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20142021" version="601">
<metadata>
<title>RHSA-2014:2021: jasper security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2014:2021-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-2021.html" source="RHSA"/>
<reference ref_id="CVE-2014-8137" ref_url="https://access.redhat.com/security/cve/CVE-2014-8137" source="CVE"/>
<reference ref_id="CVE-2014-8138" ref_url="https://access.redhat.com/security/cve/CVE-2014-8138" source="CVE"/>
<reference ref_id="CVE-2014-9029" ref_url="https://access.redhat.com/security/cve/CVE-2014-9029" source="CVE"/>
<description>JasPer is an implementation of Part 1 of the JPEG 2000 image compression
standard.
Multiple off-by-one flaws, leading to heap-based buffer overflows, were
found in the way JasPer decoded JPEG 2000 image files. A specially crafted
file could cause an application using JasPer to crash or, possibly, execute
arbitrary code. (CVE-2014-9029)
A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG
2000 image files. A specially crafted file could cause an application using
JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138)
A double free flaw was found in the way JasPer parsed ICC color profiles in
JPEG 2000 image files. A specially crafted file could cause an application
using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8137)
Red Hat would like to thank oCERT for reporting these issues. oCERT
acknowledges Jose Duart of the Google Security Team as the original
reporter.
All JasPer users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. All applications using
the JasPer libraries must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-18"/>
<updated date="2014-12-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8137">CVE-2014-8137</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8138">CVE-2014-8138</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9029">CVE-2014-9029</cve>
<bugzilla href="https://bugzilla.redhat.com/1167537" id="1167537">CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1173157" id="1173157">CVE-2014-8137 jasper: double-free in in jas_iccattrval_destroy() (oCERT-2014-012)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1173162" id="1173162">CVE-2014-8138 jasper: heap overflow in jp2_decode() (oCERT-2014-012)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jasper is earlier than 0:1.900.1-26.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20142021005"/>
<criterion comment="jasper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021006"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-devel is earlier than 0:1.900.1-26.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20142021007"/>
<criterion comment="jasper-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021008"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-libs is earlier than 0:1.900.1-26.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20142021009"/>
<criterion comment="jasper-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021010"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-utils is earlier than 0:1.900.1-26.el7_0.2" test_ref="oval:com.redhat.rhsa:tst:20142021011"/>
<criterion comment="jasper-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jasper is earlier than 0:1.900.1-16.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20142021017"/>
<criterion comment="jasper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021006"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-devel is earlier than 0:1.900.1-16.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20142021019"/>
<criterion comment="jasper-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021008"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-libs is earlier than 0:1.900.1-16.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20142021018"/>
<criterion comment="jasper-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021010"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-utils is earlier than 0:1.900.1-16.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20142021020"/>
<criterion comment="jasper-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20142023" version="601">
<metadata>
<title>RHSA-2014:2023: glibc security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:2023-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-2023.html" source="RHSA"/>
<reference ref_id="CVE-2014-7817" ref_url="https://access.redhat.com/security/cve/CVE-2014-7817" source="CVE"/>
<description>The glibc packages provide the standard C libraries (libc), POSIX thread
libraries (libpthread), standard math libraries (libm), and the Name
Server Caching Daemon (nscd) used by multiple programs on the system.
Without these libraries, the Linux system cannot function correctly.
It was found that the wordexp() function would perform command substitution
even when the WRDE_NOCMD flag was specified. An attacker able to provide
specially crafted input to an application using the wordexp() function, and
not sanitizing the input correctly, could potentially use this flaw to
execute arbitrary commands with the credentials of the user running that
application. (CVE-2014-7817)
This issue was discovered by Tim Waugh of the Red Hat Developer Experience
Team.
This update also fixes the following bug:
* Prior to this update, if a file stream that was opened in append mode and
its underlying file descriptor were used at the same time and the file was
truncated using the ftruncate() function on the file descriptor, a
subsequent ftell() call on the stream incorrectly modified the file offset
by seeking to the new end of the file. This update ensures that ftell()
modifies the state of the file stream only when it is in append mode and
its buffer is not empty. As a result, the described incorrect changes to
the file offset no longer occur. (BZ#1170187)
All glibc users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-18"/>
<updated date="2014-12-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7817">CVE-2014-7817</cve>
<bugzilla href="https://bugzilla.redhat.com/1157689" id="1157689">CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170187" id="1170187">Problems when using ftruncate on files opened in append mode</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023005"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023017"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023015"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023007"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023011"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023009"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-55.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20142023013"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20142024" version="601">
<metadata>
<title>RHSA-2014:2024: ntp security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2014:2024-00" ref_url="https://rhn.redhat.com/errata/RHSA-2014-2024.html" source="RHSA"/>
<reference ref_id="CVE-2014-9293" ref_url="https://access.redhat.com/security/cve/CVE-2014-9293" source="CVE"/>
<reference ref_id="CVE-2014-9294" ref_url="https://access.redhat.com/security/cve/CVE-2014-9294" source="CVE"/>
<reference ref_id="CVE-2014-9295" ref_url="https://access.redhat.com/security/cve/CVE-2014-9295" source="CVE"/>
<reference ref_id="CVE-2014-9296" ref_url="https://access.redhat.com/security/cve/CVE-2014-9296" source="CVE"/>
<description>The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),
ctl_putdata(), and configure() functions. A remote attacker could use
either of these flaws to send a specially crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the privileges of
the ntp user. Note: the crypto_recv() flaw requires non-default
configurations to be active, while the ctl_putdata() flaw, by default, can
only be exploited via local attackers, and the configure() flaw requires
additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal
use if no ntpdc request authentication key was specified in the ntp.conf
configuration file. A remote attacker able to match the configured IP
restrictions could guess the generated key, and possibly use it to send
ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys.
This could possibly allow an attacker to guess generated MD5 keys that
could then be used to spoof an NTP client or server. Note: it is
recommended to regenerate any MD5 keys that had explicitly been generated
with ntp-keygen; the default installation does not contain such keys).
(CVE-2014-9294)
A missing return statement in the receive() function could potentially
allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which
contains backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2014 Red Hat, Inc.</rights>
<issued date="2014-12-20"/>
<updated date="2014-12-20"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9293">CVE-2014-9293</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9294">CVE-2014-9294</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9295">CVE-2014-9295</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9296">CVE-2014-9296</cve>
<bugzilla href="https://bugzilla.redhat.com/1176032" id="1176032">CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176035" id="1176035">CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176037" id="1176037">CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176040" id="1176040">CVE-2014-9296 ntp: receive() missing return on error</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-19.el7_0" test_ref="oval:com.redhat.rhsa:tst:20142024005"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-19.el7_0" test_ref="oval:com.redhat.rhsa:tst:20142024009"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-19.el7_0" test_ref="oval:com.redhat.rhsa:tst:20142024013"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-19.el7_0" test_ref="oval:com.redhat.rhsa:tst:20142024011"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
<criteria operator="AND">
<criterion comment="sntp is earlier than 0:4.2.6p5-19.el7_0" test_ref="oval:com.redhat.rhsa:tst:20142024007"/>
<criterion comment="sntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20142024019"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20142024022"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20142024020"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20142024021"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150008" version="601">
<metadata>
<title>RHSA-2015:0008: libvirt security and bug fix update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0008-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0008.html" source="RHSA"/>
<reference ref_id="CVE-2014-7823" ref_url="https://access.redhat.com/security/cve/CVE-2014-7823" source="CVE"/>
<description>The libvirt library is a C API for managing and interacting with the
virtualization capabilities of Linux and other operating systems.
In addition, libvirt provides tools for remote management of
virtualized systems.
It was found that when the VIR_DOMAIN_XML_MIGRATABLE flag was used, the
QEMU driver implementation of the virDomainGetXMLDesc() function could
bypass the restrictions of the VIR_DOMAIN_XML_SECURE flag. A remote
attacker able to establish a read-only connection to libvirtd could use
this flaw to leak certain limited information from the domain XML data.
(CVE-2014-7823)
This issue was discovered by Eric Blake of Red Hat.
This update also fixes the following bugs:
* In Red Hat Enterprise Linux 6, libvirt relies on the QEMU emulator to
supply the error message when an active commit is attempted. However, with
Red Hat Enterprise Linux 7, QEMU added support for an active commit, but an
additional interaction from libvirt to fully enable active commits is still
missing. As a consequence, attempts to perform an active commit caused
libvirt to become unresponsive. With this update, libvirt has been fixed to
detect an active commit by itself, and now properly declares the feature as
unsupported. As a result, libvirt no longer hangs when an active commit is
attempted and instead produces an error message.
Note that the missing libvirt interaction will be added in Red Hat
Enterprise Linux 7.1, adding full support for active commits. (BZ#1150379)
* Prior to this update, the libvirt API did not properly check whether a
Discretionary Access Control (DAC) security label is non-NULL before trying
to parse user/group ownership from it. In addition, the DAC security label
of a transient domain that had just finished migrating to another host is
in some cases NULL. As a consequence, when the virDomainGetBlockInfo API
was called on such a domain, the libvirtd daemon sometimes terminated
unexpectedly. With this update, libvirt properly checks DAC labels before
trying to parse them, and libvirtd thus no longer crashes in the described
scenario. (BZ#1171124)
* If a block copy operation was attempted while another block copy was
already in progress to an explicit raw destination, libvirt previously
stopped regarding the destination as raw. As a consequence, if the
qemu.conf file was edited to allow file format probing, triggering the bug
could allow a malicious guest to bypass sVirt protection by making libvirt
regard the file as non-raw. With this update, libvirt has been fixed to
consistently remember when a block copy destination is raw, and guests can
no longer circumvent sVirt protection when the host is configured to allow
format probing. (BZ#1149078)
All libvirt users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, libvirtd will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-05"/>
<updated date="2015-01-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7823">CVE-2014-7823</cve>
<bugzilla href="https://bugzilla.redhat.com/1150379" id="1150379">attempts to live snapshot merge (commit) of the active layer hang</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160817" id="1160817">CVE-2014-7823 libvirt: dumpxml: information leak with migratable flag</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1171124" id="1171124">libvirtd occasionally crashes at the end of migration</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libvirt is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008005"/>
<criterion comment="libvirt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-client is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008037"/>
<criterion comment="libvirt-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914034"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008035"/>
<criterion comment="libvirt-daemon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914016"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008011"/>
<criterion comment="libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008013"/>
<criterion comment="libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914022"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008021"/>
<criterion comment="libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914028"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008033"/>
<criterion comment="libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008029"/>
<criterion comment="libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008019"/>
<criterion comment="libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008015"/>
<criterion comment="libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008039"/>
<criterion comment="libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008023"/>
<criterion comment="libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008031"/>
<criterion comment="libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008041"/>
<criterion comment="libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914044"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008007"/>
<criterion comment="libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914030"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-devel is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008009"/>
<criterion comment="libvirt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914024"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-docs is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008025"/>
<criterion comment="libvirt-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008043"/>
<criterion comment="libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914042"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008017"/>
<criterion comment="libvirt-login-shell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914014"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-python is earlier than 0:1.1.1-29.el7_0.4" test_ref="oval:com.redhat.rhsa:tst:20150008027"/>
<criterion comment="libvirt-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914036"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150046" version="601">
<metadata>
<title>RHSA-2015:0046: firefox security and bug fix update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0046-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0046.html" source="RHSA"/>
<reference ref_id="CVE-2014-8634" ref_url="https://access.redhat.com/security/cve/CVE-2014-8634" source="CVE"/>
<reference ref_id="CVE-2014-8638" ref_url="https://access.redhat.com/security/cve/CVE-2014-8638" source="CVE"/>
<reference ref_id="CVE-2014-8639" ref_url="https://access.redhat.com/security/cve/CVE-2014-8639" source="CVE"/>
<reference ref_id="CVE-2014-8641" ref_url="https://access.redhat.com/security/cve/CVE-2014-8641" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2014-8634, CVE-2014-8639, CVE-2014-8641)
It was found that the Beacon interface implementation in Firefox did not
follow the Cross-Origin Resource Sharing (CORS) specification. A web page
containing malicious content could allow a remote attacker to conduct a
Cross-Site Request Forgery (XSRF) attack. (CVE-2014-8638)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, Patrick McManus, Muneaki Nishimura,
Xiaofeng Zheng, and Mitchell Harper as the original reporters of these
issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 31.4.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
This update also fixes the following bug:
* The default dictionary for Firefox's spell checker is now correctly set
to the system's locale language. (BZ#643954, BZ#1150572)
All Firefox users should upgrade to these updated packages, which contain
Firefox version 31.4.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-13"/>
<updated date="2015-01-13"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8634">CVE-2014-8634</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8638">CVE-2014-8638</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8639">CVE-2014-8639</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8641">CVE-2014-8641</cve>
<bugzilla href="https://bugzilla.redhat.com/643954" id="643954">default spellchecker dictionary is not correct for firefox</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150572" id="1150572">default spellchecker dictionary is not correct for firefox</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180962" id="1180962">CVE-2014-8634 Mozilla: Miscellaneous memory safety hazards (rv:31.4) (MFSA 2015-01)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180966" id="1180966">CVE-2014-8638 Mozilla: sendBeacon requests lack an Origin header (MFSA 2015-03)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180967" id="1180967">CVE-2014-8639 Mozilla: Cookie injection through Proxy Authenticate responses (MFSA 2015-04)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180973" id="1180973">CVE-2014-8641 Mozilla: Read-after-free in WebRTC (MFSA 2015-06)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:31.4.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150046002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:31.4.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150046008"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:31.4.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150046010"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.4.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150046012"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.4.0-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150046018"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150066" version="601">
<metadata>
<title>RHSA-2015:0066: openssl security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0066-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0066.html" source="RHSA"/>
<reference ref_id="CVE-2014-3570" ref_url="https://access.redhat.com/security/cve/CVE-2014-3570" source="CVE"/>
<reference ref_id="CVE-2014-3571" ref_url="https://access.redhat.com/security/cve/CVE-2014-3571" source="CVE"/>
<reference ref_id="CVE-2014-3572" ref_url="https://access.redhat.com/security/cve/CVE-2014-3572" source="CVE"/>
<reference ref_id="CVE-2014-8275" ref_url="https://access.redhat.com/security/cve/CVE-2014-8275" source="CVE"/>
<reference ref_id="CVE-2015-0204" ref_url="https://access.redhat.com/security/cve/CVE-2015-0204" source="CVE"/>
<reference ref_id="CVE-2015-0205" ref_url="https://access.redhat.com/security/cve/CVE-2015-0205" source="CVE"/>
<reference ref_id="CVE-2015-0206" ref_url="https://access.redhat.com/security/cve/CVE-2015-0206" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library.
A NULL pointer dereference flaw was found in the DTLS implementation of
OpenSSL. A remote attacker could send a specially crafted DTLS message,
which would cause an OpenSSL server to crash. (CVE-2014-3571)
A memory leak flaw was found in the way the dtls1_buffer_record() function
of OpenSSL parsed certain DTLS messages. A remote attacker could send
multiple specially crafted DTLS messages to exhaust all available memory of
a DTLS server. (CVE-2015-0206)
It was found that OpenSSL's BigNumber Squaring implementation could produce
incorrect results under certain special conditions. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. Note that this issue occurred rarely and with a low probability,
and there is currently no known way of exploiting it. (CVE-2014-3570)
It was discovered that OpenSSL would perform an ECDH key exchange with a
non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
A malicious server could make a TLS/SSL client using OpenSSL use a weaker
key exchange method than the one requested by the user. (CVE-2014-3572)
It was discovered that OpenSSL would accept ephemeral RSA keys when using
non-export RSA cipher suites. A malicious server could make a TLS/SSL
client using OpenSSL use a weaker key exchange method. (CVE-2015-0204)
Multiple flaws were found in the way OpenSSL parsed X.509 certificates.
An attacker could use these flaws to modify an X.509 certificate to produce
a certificate with a different fingerprint without invalidating its
signature, and possibly bypass fingerprint-based blacklisting in
applications. (CVE-2014-8275)
It was found that an OpenSSL server would, under certain conditions, accept
Diffie-Hellman client certificates without the use of a private key.
An attacker could use a user's client certificate to authenticate as that
user, without needing the private key. (CVE-2015-0205)
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to mitigate the above issues. For the update to
take effect, all services linked to the OpenSSL library (such as httpd and
other SSL-enabled services) must be restarted or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-20"/>
<updated date="2015-01-21"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3570">CVE-2014-3570</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3571">CVE-2014-3571</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3572">CVE-2014-3572</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8275">CVE-2014-8275</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0204">CVE-2015-0204</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0205">CVE-2015-0205</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0206">CVE-2015-0206</cve>
<bugzilla href="https://bugzilla.redhat.com/1180184" id="1180184">CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180185" id="1180185">CVE-2014-3572 openssl: ECDH downgrade bug fix</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180187" id="1180187">CVE-2014-8275 openssl: Fix various certificate fingerprint issues</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180234" id="1180234">CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180235" id="1180235">CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180239" id="1180239">CVE-2015-0205 openssl: DH client certificates accepted without verification</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180240" id="1180240">CVE-2014-3570 openssl: Bignum squaring may produce incorrect results</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-34.el7_0.7" test_ref="oval:com.redhat.rhsa:tst:20150066005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.7" test_ref="oval:com.redhat.rhsa:tst:20150066013"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.7" test_ref="oval:com.redhat.rhsa:tst:20150066007"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.7" test_ref="oval:com.redhat.rhsa:tst:20150066011"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.7" test_ref="oval:com.redhat.rhsa:tst:20150066009"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-30.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150066019"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150066022"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150066020"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150066021"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150067" version="604">
<metadata>
<title>RHSA-2015:0067: java-1.7.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0067-03" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0067.html" source="RHSA"/>
<reference ref_id="CVE-2014-3566" ref_url="https://access.redhat.com/security/cve/CVE-2014-3566" source="CVE"/>
<reference ref_id="CVE-2014-6585" ref_url="https://access.redhat.com/security/cve/CVE-2014-6585" source="CVE"/>
<reference ref_id="CVE-2014-6587" ref_url="https://access.redhat.com/security/cve/CVE-2014-6587" source="CVE"/>
<reference ref_id="CVE-2014-6591" ref_url="https://access.redhat.com/security/cve/CVE-2014-6591" source="CVE"/>
<reference ref_id="CVE-2014-6593" ref_url="https://access.redhat.com/security/cve/CVE-2014-6593" source="CVE"/>
<reference ref_id="CVE-2014-6601" ref_url="https://access.redhat.com/security/cve/CVE-2014-6601" source="CVE"/>
<reference ref_id="CVE-2015-0383" ref_url="https://access.redhat.com/security/cve/CVE-2015-0383" source="CVE"/>
<reference ref_id="CVE-2015-0395" ref_url="https://access.redhat.com/security/cve/CVE-2015-0395" source="CVE"/>
<reference ref_id="CVE-2015-0407" ref_url="https://access.redhat.com/security/cve/CVE-2015-0407" source="CVE"/>
<reference ref_id="CVE-2015-0408" ref_url="https://access.redhat.com/security/cve/CVE-2015-0408" source="CVE"/>
<reference ref_id="CVE-2015-0410" ref_url="https://access.redhat.com/security/cve/CVE-2015-0410" source="CVE"/>
<reference ref_id="CVE-2015-0412" ref_url="https://access.redhat.com/security/cve/CVE-2015-0412" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the JAX-WS,
and RMI components in OpenJDK. An untrusted Java application or applet
could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,
CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled phantom
references. An untrusted Java application or applet could use this flaw to
corrupt the Java Virtual Machine memory and, possibly, execute arbitrary
code, bypassing Java sandbox restrictions. (CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules) decoder
in the Security component in OpenJDK handled negative length values. A
specially crafted, DER-encoded input could cause a Java application to
enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes when
decrypting messages that were encrypted using block ciphers in cipher block
chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle
(MITM) attacker to decrypt portions of the cipher text using a padding
oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to re-enable
SSL 3.0 support if needed. For additional information, refer to the Red Hat
Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE component in
OpenJDK failed to properly check whether the ChangeCipherSpec was received
during the SSL/TLS connection handshake. An MITM attacker could possibly
use this flaw to force a connection to be established without encryption
being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK. An
untrusted Java application or applet could use this flaw to bypass certain
Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted Java
application or applet could possibly use this flaw to bypass certain Java
sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could allow an
untrusted Java application or applet to disclose portions of the Java
Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error log
files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-21"/>
<updated date="2015-01-21"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3566">CVE-2014-3566</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6585">CVE-2014-6585</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6587">CVE-2014-6587</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6591">CVE-2014-6591</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6593">CVE-2014-6593</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6601">CVE-2014-6601</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0383">CVE-2015-0383</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0395">CVE-2015-0395</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0407">CVE-2015-0407</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0408">CVE-2015-0408</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0410">CVE-2015-0410</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0412">CVE-2015-0412</cve>
<bugzilla href="https://bugzilla.redhat.com/1123870" id="1123870">CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152789" id="1152789">CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183020" id="1183020">CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183021" id="1183021">CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183023" id="1183023">CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183031" id="1183031">CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183043" id="1183043">CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183044" id="1183044">CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183049" id="1183049">CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183645" id="1183645">CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183646" id="1183646">CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183715" id="1183715">CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067005"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067007"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067015"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067011"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067013"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067017"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.75-2.5.4.2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150067009"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.75-2.5.4.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150067023"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.75-2.5.4.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150067024"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.75-2.5.4.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150067027"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.75-2.5.4.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150067026"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.75-2.5.4.0.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150067025"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150074" version="601">
<metadata>
<title>RHSA-2015:0074: jasper security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0074-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0074.html" source="RHSA"/>
<reference ref_id="CVE-2014-8157" ref_url="https://access.redhat.com/security/cve/CVE-2014-8157" source="CVE"/>
<reference ref_id="CVE-2014-8158" ref_url="https://access.redhat.com/security/cve/CVE-2014-8158" source="CVE"/>
<description>JasPer is an implementation of Part 1 of the JPEG 2000 image compression
standard.
An off-by-one flaw, leading to a heap-based buffer overflow, was found in
the way JasPer decoded JPEG 2000 image files. A specially crafted file
could cause an application using JasPer to crash or, possibly, execute
arbitrary code. (CVE-2014-8157)
An unrestricted stack memory use flaw was found in the way JasPer decoded
JPEG 2000 image files. A specially crafted file could cause an application
using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8158)
Red Hat would like to thank oCERT for reporting these issues. oCERT
acknowledges pyddeh as the original reporter.
All JasPer users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. All applications using
the JasPer libraries must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-22"/>
<updated date="2015-01-22"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8157">CVE-2014-8157</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8158">CVE-2014-8158</cve>
<bugzilla href="https://bugzilla.redhat.com/1179282" id="1179282">CVE-2014-8157 jasper: dec->numtiles off-by-one check in jpc_dec_process_sot() (oCERT-2015-001)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179298" id="1179298">CVE-2014-8158 jasper: unrestricted stack memory use in jpc_qmfb.c (oCERT-2015-001)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jasper is earlier than 0:1.900.1-26.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20150074005"/>
<criterion comment="jasper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021006"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-devel is earlier than 0:1.900.1-26.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20150074011"/>
<criterion comment="jasper-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021008"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-libs is earlier than 0:1.900.1-26.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20150074007"/>
<criterion comment="jasper-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021010"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-utils is earlier than 0:1.900.1-26.el7_0.3" test_ref="oval:com.redhat.rhsa:tst:20150074009"/>
<criterion comment="jasper-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jasper is earlier than 0:1.900.1-16.el6_6.3" test_ref="oval:com.redhat.rhsa:tst:20150074017"/>
<criterion comment="jasper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021006"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-devel is earlier than 0:1.900.1-16.el6_6.3" test_ref="oval:com.redhat.rhsa:tst:20150074019"/>
<criterion comment="jasper-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021008"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-libs is earlier than 0:1.900.1-16.el6_6.3" test_ref="oval:com.redhat.rhsa:tst:20150074020"/>
<criterion comment="jasper-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021010"/>
</criteria>
<criteria operator="AND">
<criterion comment="jasper-utils is earlier than 0:1.900.1-16.el6_6.3" test_ref="oval:com.redhat.rhsa:tst:20150074018"/>
<criterion comment="jasper-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142021012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150085" version="601">
<metadata>
<title>RHSA-2015:0085: java-1.6.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0085-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0085.html" source="RHSA"/>
<reference ref_id="CVE-2014-3566" ref_url="https://access.redhat.com/security/cve/CVE-2014-3566" source="CVE"/>
<reference ref_id="CVE-2014-6585" ref_url="https://access.redhat.com/security/cve/CVE-2014-6585" source="CVE"/>
<reference ref_id="CVE-2014-6587" ref_url="https://access.redhat.com/security/cve/CVE-2014-6587" source="CVE"/>
<reference ref_id="CVE-2014-6591" ref_url="https://access.redhat.com/security/cve/CVE-2014-6591" source="CVE"/>
<reference ref_id="CVE-2014-6593" ref_url="https://access.redhat.com/security/cve/CVE-2014-6593" source="CVE"/>
<reference ref_id="CVE-2014-6601" ref_url="https://access.redhat.com/security/cve/CVE-2014-6601" source="CVE"/>
<reference ref_id="CVE-2015-0383" ref_url="https://access.redhat.com/security/cve/CVE-2015-0383" source="CVE"/>
<reference ref_id="CVE-2015-0395" ref_url="https://access.redhat.com/security/cve/CVE-2015-0395" source="CVE"/>
<reference ref_id="CVE-2015-0407" ref_url="https://access.redhat.com/security/cve/CVE-2015-0407" source="CVE"/>
<reference ref_id="CVE-2015-0408" ref_url="https://access.redhat.com/security/cve/CVE-2015-0408" source="CVE"/>
<reference ref_id="CVE-2015-0410" ref_url="https://access.redhat.com/security/cve/CVE-2015-0410" source="CVE"/>
<reference ref_id="CVE-2015-0412" ref_url="https://access.redhat.com/security/cve/CVE-2015-0412" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions.
(CVE-2014-6601)
Multiple improper permission check issues were discovered in the JAX-WS,
and RMI components in OpenJDK. An untrusted Java application or applet
could use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,
CVE-2015-0408)
A flaw was found in the way the Hotspot garbage collector handled phantom
references. An untrusted Java application or applet could use this flaw to
corrupt the Java Virtual Machine memory and, possibly, execute arbitrary
code, bypassing Java sandbox restrictions. (CVE-2015-0395)
A flaw was found in the way the DER (Distinguished Encoding Rules) decoder
in the Security component in OpenJDK handled negative length values. A
specially crafted, DER-encoded input could cause a Java application to
enter an infinite loop when decoded. (CVE-2015-0410)
A flaw was found in the way the SSL 3.0 protocol handled padding bytes when
decrypting messages that were encrypted using block ciphers in cipher block
chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle
(MITM) attacker to decrypt portions of the cipher text using a padding
oracle attack. (CVE-2014-3566)
Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to re-enable
SSL 3.0 support if needed. For additional information, refer to the Red Hat
Bugzilla bug linked to in the References section.
It was discovered that the SSL/TLS implementation in the JSSE component in
OpenJDK failed to properly check whether the ChangeCipherSpec was received
during the SSL/TLS connection handshake. An MITM attacker could possibly
use this flaw to force a connection to be established without encryption
being enabled. (CVE-2014-6593)
An information leak flaw was found in the Swing component in OpenJDK. An
untrusted Java application or applet could use this flaw to bypass certain
Java sandbox restrictions. (CVE-2015-0407)
A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted Java
application or applet could possibly use this flaw to bypass certain Java
sandbox restrictions. (CVE-2014-6587)
Multiple boundary check flaws were found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could allow an
untrusted Java application or applet to disclose portions of the Java
Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error log
files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. (CVE-2015-0383)
The CVE-2015-0383 issue was discovered by Red Hat.
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-26"/>
<updated date="2015-01-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3566">CVE-2014-3566</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6585">CVE-2014-6585</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6587">CVE-2014-6587</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6591">CVE-2014-6591</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6593">CVE-2014-6593</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6601">CVE-2014-6601</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0383">CVE-2015-0383</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0395">CVE-2015-0395</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0407">CVE-2015-0407</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0408">CVE-2015-0408</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0410">CVE-2015-0410</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0412">CVE-2015-0412</cve>
<bugzilla href="https://bugzilla.redhat.com/1123870" id="1123870">CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152789" id="1152789">CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183020" id="1183020">CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183021" id="1183021">CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183023" id="1183023">CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183031" id="1183031">CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183043" id="1183043">CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183044" id="1183044">CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183049" id="1183049">CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183645" id="1183645">CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183646" id="1183646">CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183715" id="1183715">CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.34-1.13.6.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150085002"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.34-1.13.6.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150085006"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.34-1.13.6.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150085010"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.34-1.13.6.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150085008"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.34-1.13.6.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150085004"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.34-1.13.6.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150085016"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.34-1.13.6.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150085022"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.34-1.13.6.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150085020"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.34-1.13.6.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150085024"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.34-1.13.6.1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150085018"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.34-1.13.6.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150085030"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.34-1.13.6.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150085033"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.34-1.13.6.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150085032"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.34-1.13.6.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150085034"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.34-1.13.6.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150085031"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150092" version="601">
<metadata>
<title>RHSA-2015:0092: glibc security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0092-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0092.html" source="RHSA"/>
<reference ref_id="CVE-2015-0235" ref_url="https://access.redhat.com/security/cve/CVE-2015-0235" source="CVE"/>
<description>The glibc packages provide the standard C libraries (libc), POSIX thread
libraries (libpthread), standard math libraries (libm), and the Name
Server Caching Daemon (nscd) used by multiple programs on the system.
Without these libraries, the Linux system cannot function correctly.
A heap-based buffer overflow was found in glibc's
__nss_hostname_digits_dots() function, which is used by the gethostbyname()
and gethostbyname2() glibc function calls. A remote attacker able to make
an application call either of these functions could use this flaw to
execute arbitrary code with the permissions of the user running the
application. (CVE-2015-0235)
Red Hat would like to thank Qualys for reporting this issue.
All glibc users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-27"/>
<updated date="2015-01-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0235">CVE-2015-0235</cve>
<bugzilla href="https://bugzilla.redhat.com/1183461" id="1183461">CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092005"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092007"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092009"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092011"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092013"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092015"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-55.el7_0.5" test_ref="oval:com.redhat.rhsa:tst:20150092017"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092023"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092029"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092025"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092024"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092028"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092027"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.12-1.149.el6_6.5" test_ref="oval:com.redhat.rhsa:tst:20150092026"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150100" version="601">
<metadata>
<title>RHSA-2015:0100: libyaml security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0100-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0100.html" source="RHSA"/>
<reference ref_id="CVE-2014-9130" ref_url="https://access.redhat.com/security/cve/CVE-2014-9130" source="CVE"/>
<description>YAML is a data serialization format designed for human readability and
interaction with scripting languages. LibYAML is a YAML parser and emitter
written in C.
An assertion failure was found in the way the libyaml library parsed
wrapped strings. An attacker able to load specially crafted YAML input into
an application using libyaml could cause the application to crash.
(CVE-2014-9130)
All libyaml users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. All running applications
linked against the libyaml library must be restarted for this update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-28"/>
<updated date="2015-01-28"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9130">CVE-2014-9130</cve>
<bugzilla href="https://bugzilla.redhat.com/1169369" id="1169369">CVE-2014-9130 libyaml: assert failure when processing wrapped strings</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libyaml is earlier than 0:0.1.4-11.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150100005"/>
<criterion comment="libyaml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150100006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libyaml-devel is earlier than 0:0.1.4-11.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150100007"/>
<criterion comment="libyaml-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150100008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libyaml is earlier than 0:0.1.3-4.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150100013"/>
<criterion comment="libyaml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150100006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libyaml-devel is earlier than 0:0.1.3-4.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150100014"/>
<criterion comment="libyaml-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150100008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150102" version="601">
<metadata>
<title>RHSA-2015:0102: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0102-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0102.html" source="RHSA"/>
<reference ref_id="CVE-2014-4171" ref_url="https://access.redhat.com/security/cve/CVE-2014-4171" source="CVE"/>
<reference ref_id="CVE-2014-5471" ref_url="https://access.redhat.com/security/cve/CVE-2014-5471" source="CVE"/>
<reference ref_id="CVE-2014-5472" ref_url="https://access.redhat.com/security/cve/CVE-2014-5472" source="CVE"/>
<reference ref_id="CVE-2014-7145" ref_url="https://access.redhat.com/security/cve/CVE-2014-7145" source="CVE"/>
<reference ref_id="CVE-2014-7822" ref_url="https://access.redhat.com/security/cve/CVE-2014-7822" source="CVE"/>
<reference ref_id="CVE-2014-7841" ref_url="https://access.redhat.com/security/cve/CVE-2014-7841" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's SCTP implementation
validated INIT chunks when performing Address Configuration Change
(ASCONF). A remote attacker could use this flaw to crash the system by
sending a specially crafted SCTP packet to trigger a NULL pointer
dereference on the system. (CVE-2014-7841, Important)
* A race condition flaw was found in the way the Linux kernel's mmap(2),
madvise(2), and fallocate(2) system calls interacted with each other while
operating on virtual memory file system files. A local user could use this
flaw to cause a denial of service. (CVE-2014-4171, Moderate)
* A NULL pointer dereference flaw was found in the way the Linux kernel's
Common Internet File System (CIFS) implementation handled mounting of file
system shares. A remote attacker could use this flaw to crash a client
system that would mount a file system share from a malicious server.
(CVE-2014-7145, Moderate)
* A flaw was found in the way the Linux kernel's splice() system call
validated its parameters. On certain file systems, a local, unprivileged
user could use this flaw to write past the maximum file size, and thus
crash the system. (CVE-2014-7822, Moderate)
* It was found that the parse_rock_ridge_inode_internal() function of the
Linux kernel's ISOFS implementation did not correctly check relocated
directories when processing Rock Ridge child link (CL) tags. An attacker
with physical access to the system could use a specially crafted ISO image
to crash the system or, potentially, escalate their privileges on the
system. (CVE-2014-5471, CVE-2014-5472, Low)
Red Hat would like to thank Akira Fujita of NEC for reporting the
CVE-2014-7822 issue. The CVE-2014-7841 issue was discovered by Liu Wei of
Red Hat.
This update also fixes the following bugs:
* Previously, a kernel panic could occur if a process reading from a locked
NFS file was killed and the lock was not released properly before the read
operations finished. Consequently, the system crashed. The code handling
file locks has been fixed, and instead of halting, the system now emits a
warning about the unreleased lock. (BZ#1172266)
* A race condition in the command abort handling logic of the ipr device
driver could cause the kernel to panic when the driver received a response
to an abort command prior to receiving other responses to the aborted
command due to the support for multiple interrupts. With this update, the
abort handler waits for the aborted command's responses first before
completing an abort operation. (BZ#1162734)
* Previously, a race condition could occur when changing a Page Table Entry
(PTE) or a Page Middle Directory (PMD) to "pte_numa" or "pmd_numa",
respectively, causing the kernel to crash. This update removes the BUG_ON()
macro from the __handle_mm_fault() function, preventing the kernel panic in
the aforementioned scenario. (BZ#1170662)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-01-28"/>
<updated date="2015-01-28"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4171">CVE-2014-4171</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5471">CVE-2014-5471</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5472">CVE-2014-5472</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7145">CVE-2014-7145</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7822">CVE-2014-7822</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7841">CVE-2014-7841</cve>
<bugzilla href="https://bugzilla.redhat.com/1111180" id="1111180">CVE-2014-4171 Kernel: mm/shmem: denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134099" id="1134099">CVE-2014-5471 CVE-2014-5472 kernel: isofs: unbound recursion when processing relocated directories</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147522" id="1147522">CVE-2014-7145 Kernel: cifs: NULL pointer dereference in SMB2_tcon</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163087" id="1163087">CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163792" id="1163792">CVE-2014-7822 kernel: splice: lack of generic write checks</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102015"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102011"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102019"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102013"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102023"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102017"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102021"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-123.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20150102009"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150118" version="601">
<metadata>
<title>RHSA-2015:0118: mariadb security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0118-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0118.html" source="RHSA"/>
<reference ref_id="CVE-2014-6568" ref_url="https://access.redhat.com/security/cve/CVE-2014-6568" source="CVE"/>
<reference ref_id="CVE-2015-0374" ref_url="https://access.redhat.com/security/cve/CVE-2015-0374" source="CVE"/>
<reference ref_id="CVE-2015-0381" ref_url="https://access.redhat.com/security/cve/CVE-2015-0381" source="CVE"/>
<reference ref_id="CVE-2015-0382" ref_url="https://access.redhat.com/security/cve/CVE-2015-0382" source="CVE"/>
<reference ref_id="CVE-2015-0391" ref_url="https://access.redhat.com/security/cve/CVE-2015-0391" source="CVE"/>
<reference ref_id="CVE-2015-0411" ref_url="https://access.redhat.com/security/cve/CVE-2015-0411" source="CVE"/>
<reference ref_id="CVE-2015-0432" ref_url="https://access.redhat.com/security/cve/CVE-2015-0432" source="CVE"/>
<description>MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL.
This update fixes several vulnerabilities in the MariaDB database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory page, listed in the References section. (CVE-2015-0381,
CVE-2015-0382, CVE-2015-0391, CVE-2015-0411, CVE-2015-0432, CVE-2014-6568,
CVE-2015-0374)
These updated packages upgrade MariaDB to version 5.5.41. Refer to the
MariaDB Release Notes listed in the References section for a complete list
of changes.
All MariaDB users should upgrade to these updated packages, which correct
these issues. After installing this update, the MariaDB server daemon
(mysqld) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-02-03"/>
<updated date="2015-02-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6568">CVE-2014-6568</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0374">CVE-2015-0374</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0381">CVE-2015-0381</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0382">CVE-2015-0382</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0391">CVE-2015-0391</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0411">CVE-2015-0411</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0432">CVE-2015-0432</cve>
<bugzilla href="https://bugzilla.redhat.com/1184552" id="1184552">CVE-2014-6568 mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU Jan 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184553" id="1184553">CVE-2015-0374 mysql: unspecified vulnerability related to Server:Security:Privileges:Foreign Key (CPU Jan 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184554" id="1184554">CVE-2015-0381 mysql: unspecified vulnerability related to Server:Replication (CPU Jan 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184555" id="1184555">CVE-2015-0382 mysql: unspecified vulnerability related to Server:Replication (CPU Jan 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184557" id="1184557">CVE-2015-0391 mysql: unspecified vulnerability related to Server:DDL (CPU Jan 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184560" id="1184560">CVE-2015-0411 mysql: unspecified vulnerability related to Server:Security:Encryption (CPU Jan 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184561" id="1184561">CVE-2015-0432 mysql: unspecified vulnerability related to Server:InnoDB:DDL:Foreign Key (CPU Jan 2015)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mariadb is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118005"/>
<criterion comment="mariadb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702006"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-bench is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118015"/>
<criterion comment="mariadb-bench is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-devel is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118019"/>
<criterion comment="mariadb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702018"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118013"/>
<criterion comment="mariadb-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702014"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded-devel is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118007"/>
<criterion comment="mariadb-embedded-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-libs is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118011"/>
<criterion comment="mariadb-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-server is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118017"/>
<criterion comment="mariadb-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702020"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-test is earlier than 1:5.5.41-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150118009"/>
<criterion comment="mariadb-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150166" version="601">
<metadata>
<title>RHSA-2015:0166: subversion security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0166-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0166.html" source="RHSA"/>
<reference ref_id="CVE-2014-3528" ref_url="https://access.redhat.com/security/cve/CVE-2014-3528" source="CVE"/>
<reference ref_id="CVE-2014-3580" ref_url="https://access.redhat.com/security/cve/CVE-2014-3580" source="CVE"/>
<reference ref_id="CVE-2014-8108" ref_url="https://access.redhat.com/security/cve/CVE-2014-8108" source="CVE"/>
<description>Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. The
mod_dav_svn module is used with the Apache HTTP Server to allow access
to Subversion repositories via HTTP.
A NULL pointer dereference flaw was found in the way the mod_dav_svn module
handled REPORT requests. A remote, unauthenticated attacker could use a
specially crafted REPORT request to crash mod_dav_svn. (CVE-2014-3580)
A NULL pointer dereference flaw was found in the way the mod_dav_svn module
handled certain requests for URIs that trigger a lookup of a virtual
transaction name. A remote, unauthenticated attacker could send a request
for a virtual transaction name that does not exist, causing mod_dav_svn to
crash. (CVE-2014-8108)
It was discovered that Subversion clients retrieved cached authentication
credentials using the MD5 hash of the server realm string without also
checking the server's URL. A malicious server able to provide a realm that
triggers an MD5 collision could possibly use this flaw to obtain the
credentials for a different realm. (CVE-2014-3528)
Red Hat would like to thank the Subversion project for reporting
CVE-2014-3580 and CVE-2014-8108. Upstream acknowledges Evgeny Kotkov of
VisualSVN as the original reporter.
All subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, for the update to take effect, you must restart the httpd
daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are
serving Subversion repositories via the svn:// protocol.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-02-10"/>
<updated date="2015-02-10"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3528">CVE-2014-3528</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3580">CVE-2014-3580</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8108">CVE-2014-8108</cve>
<bugzilla href="https://bugzilla.redhat.com/1125799" id="1125799">CVE-2014-3528 subversion: credentials leak via MD5 collision</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174054" id="1174054">CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174057" id="1174057">CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mod_dav_svn is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166015"/>
<criterion comment="mod_dav_svn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166016"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166005"/>
<criterion comment="subversion is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166006"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-devel is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166025"/>
<criterion comment="subversion-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166026"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-gnome is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166017"/>
<criterion comment="subversion-gnome is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166018"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-javahl is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166019"/>
<criterion comment="subversion-javahl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166020"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-kde is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166007"/>
<criterion comment="subversion-kde is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166008"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-libs is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166013"/>
<criterion comment="subversion-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166014"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-perl is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166023"/>
<criterion comment="subversion-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166024"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-python is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166011"/>
<criterion comment="subversion-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166012"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-ruby is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166009"/>
<criterion comment="subversion-ruby is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166010"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-tools is earlier than 0:1.7.14-7.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150166021"/>
<criterion comment="subversion-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166022"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150252" version="601">
<metadata>
<title>RHSA-2015:0252: samba security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0252-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0252.html" source="RHSA"/>
<reference ref_id="CVE-2015-0240" ref_url="https://access.redhat.com/security/cve/CVE-2015-0240" source="CVE"/>
<description>Samba is an open-source implementation of the Server Message Block (SMB) or
Common Internet File System (CIFS) protocol, which allows PC-compatible
machines to share files, printers, and other information.
An uninitialized pointer use flaw was found in the Samba daemon (smbd).
A malicious Samba client could send specially crafted netlogon packets
that, when processed by smbd, could potentially lead to arbitrary code
execution with the privileges of the user running smbd (by default, the
root user). (CVE-2015-0240)
For additional information about this flaw, see the Knowledgebase article
at https://access.redhat.com/articles/1346913
Red Hat would like to thank the Samba project for reporting this issue.
Upstream acknowledges Richard van Eeden of Microsoft Vulnerability Research
as the original reporter of this issue.
All Samba users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, the smb service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-02-23"/>
<updated date="2015-02-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0240">CVE-2015-0240</cve>
<bugzilla href="https://bugzilla.redhat.com/1191325" id="1191325">CVE-2015-0240 samba: talloc free on uninitialized stack pointer in netlogon server could lead to remote-code execution</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libsmbclient is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252029"/>
<criterion comment="libsmbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsmbclient-devel is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252027"/>
<criterion comment="libsmbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252021"/>
<criterion comment="libwbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient-devel is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252025"/>
<criterion comment="libwbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867008"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252005"/>
<criterion comment="samba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867006"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-client is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252007"/>
<criterion comment="samba-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867042"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-common is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252023"/>
<criterion comment="samba-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867034"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252033"/>
<criterion comment="samba-dc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867028"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc-libs is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252017"/>
<criterion comment="samba-dc-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867014"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-devel is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252037"/>
<criterion comment="samba-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867020"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-libs is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252009"/>
<criterion comment="samba-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867024"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-pidl is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252031"/>
<criterion comment="samba-pidl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867022"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-python is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252011"/>
<criterion comment="samba-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867010"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252013"/>
<criterion comment="samba-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867040"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test-devel is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252015"/>
<criterion comment="samba-test-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867030"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-vfs-glusterfs is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252043"/>
<criterion comment="samba-vfs-glusterfs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867044"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252041"/>
<criterion comment="samba-winbind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867036"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-clients is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252039"/>
<criterion comment="samba-winbind-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867018"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-krb5-locator is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252019"/>
<criterion comment="samba-winbind-krb5-locator is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867012"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-modules is earlier than 0:4.1.1-38.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150252035"/>
<criterion comment="samba-winbind-modules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150265" version="601">
<metadata>
<title>RHSA-2015:0265: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0265-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0265.html" source="RHSA"/>
<reference ref_id="CVE-2015-0822" ref_url="https://access.redhat.com/security/cve/CVE-2015-0822" source="CVE"/>
<reference ref_id="CVE-2015-0827" ref_url="https://access.redhat.com/security/cve/CVE-2015-0827" source="CVE"/>
<reference ref_id="CVE-2015-0831" ref_url="https://access.redhat.com/security/cve/CVE-2015-0831" source="CVE"/>
<reference ref_id="CVE-2015-0836" ref_url="https://access.redhat.com/security/cve/CVE-2015-0836" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-0836, CVE-2015-0831, CVE-2015-0827)
An information leak flaw was found in the way Firefox implemented
autocomplete forms. An attacker able to trick a user into specifying a
local file in the form could use this flaw to access the contents of that
file. (CVE-2015-0822)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Carsten Book, Christoph Diehl, Gary Kwong, Jan de
Mooij, Liz Henry, Byron Campen, Tom Schuster, Ryan VanderMeulen, Paul
Bandha, Abhishek Arya, and Armin Razmdjou as the original reporters of
these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Firefox 31.5.0 ESR. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 31.5.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-02-24"/>
<updated date="2015-02-24"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0822">CVE-2015-0822</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0827">CVE-2015-0827</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0831">CVE-2015-0831</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0836">CVE-2015-0836</cve>
<bugzilla href="https://bugzilla.redhat.com/1195605" id="1195605">CVE-2015-0836 Mozilla: Miscellaneous memory safety hazards (rv:31.5) (MFSA 2015-11)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195619" id="1195619">CVE-2015-0831 Mozilla: Use-after-free in IndexedDB (MFSA 2015-16)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195623" id="1195623">CVE-2015-0827 Mozilla: Out-of-bounds read and write while rendering SVG content (MFSA 2015-19)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195638" id="1195638">CVE-2015-0822 Mozilla: Reading of local files through manipulation of form autocomplete (MFSA 2015-24)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:31.5.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150265002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.5.0-2.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150265008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:31.5.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150265010"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:31.5.0-1.el7_0" test_ref="oval:com.redhat.rhsa:tst:20150265012"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.5.0-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150265018"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150290" version="601">
<metadata>
<title>RHSA-2015:0290: kernel security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0290-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0290.html" source="RHSA"/>
<reference ref_id="CVE-2014-3690" ref_url="https://access.redhat.com/security/cve/CVE-2014-3690" source="CVE"/>
<reference ref_id="CVE-2014-3940" ref_url="https://access.redhat.com/security/cve/CVE-2014-3940" source="CVE"/>
<reference ref_id="CVE-2014-7825" ref_url="https://access.redhat.com/security/cve/CVE-2014-7825" source="CVE"/>
<reference ref_id="CVE-2014-7826" ref_url="https://access.redhat.com/security/cve/CVE-2014-7826" source="CVE"/>
<reference ref_id="CVE-2014-8086" ref_url="https://access.redhat.com/security/cve/CVE-2014-8086" source="CVE"/>
<reference ref_id="CVE-2014-8160" ref_url="https://access.redhat.com/security/cve/CVE-2014-8160" source="CVE"/>
<reference ref_id="CVE-2014-8172" ref_url="https://access.redhat.com/security/cve/CVE-2014-8172" source="CVE"/>
<reference ref_id="CVE-2014-8173" ref_url="https://access.redhat.com/security/cve/CVE-2014-8173" source="CVE"/>
<reference ref_id="CVE-2014-8709" ref_url="https://access.redhat.com/security/cve/CVE-2014-8709" source="CVE"/>
<reference ref_id="CVE-2014-8884" ref_url="https://access.redhat.com/security/cve/CVE-2014-8884" source="CVE"/>
<reference ref_id="CVE-2015-0274" ref_url="https://access.redhat.com/security/cve/CVE-2015-0274" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's XFS file system handled
replacing of remote attributes under certain conditions. A local user with
access to XFS file system mount could potentially use this flaw to escalate
their privileges on the system. (CVE-2015-0274, Important)
* It was found that the Linux kernel's KVM implementation did not ensure
that the host CR4 control register value remained unchanged across VM
entries on the same virtual CPU. A local, unprivileged user could use this
flaw to cause denial of service on the system. (CVE-2014-3690, Moderate)
* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP)
implementation handled non-huge page migration. A local, unprivileged user
could use this flaw to crash the kernel by migrating transparent hugepages.
(CVE-2014-3940, Moderate)
* An out-of-bounds memory access flaw was found in the syscall tracing
functionality of the Linux kernel's perf subsystem. A local, unprivileged
user could use this flaw to crash the system. (CVE-2014-7825, Moderate)
* An out-of-bounds memory access flaw was found in the syscall tracing
functionality of the Linux kernel's ftrace subsystem. On a system with
ftrace syscall tracing enabled, a local, unprivileged user could use this
flaw to crash the system, or escalate their privileges. (CVE-2014-7826,
Moderate)
* A race condition flaw was found in the Linux kernel's ext4 file system
implementation that allowed a local, unprivileged user to crash the system
by simultaneously writing to a file and toggling the O_DIRECT flag using
fcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate)
* A flaw was found in the way the Linux kernel's netfilter subsystem
handled generic protocol tracking. As demonstrated in the Stream Control
Transmission Protocol (SCTP) case, a remote attacker could use this flaw to
bypass intended iptables rule restrictions when the associated connection
tracking module was not loaded on the system. (CVE-2014-8160, Moderate)
* It was found that due to excessive files_lock locking, a soft lockup
could be triggered in the Linux kernel when performing asynchronous I/O
operations. A local, unprivileged user could use this flaw to crash the
system. (CVE-2014-8172, Moderate)
* A NULL pointer dereference flaw was found in the way the Linux kernel's
madvise MADV_WILLNEED functionality handled page table locking. A local,
unprivileged user could use this flaw to crash the system. (CVE-2014-8173,
Moderate)
* An information leak flaw was found in the Linux kernel's IEEE 802.11
wireless networking implementation. When software encryption was used, a
remote attacker could use this flaw to leak up to 8 bytes of plaintext.
(CVE-2014-8709, Low)
* A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge
DEC USB device driver. A local user with write access to the corresponding
device could use this flaw to crash the kernel or, potentially, elevate
their privileges on the system. (CVE-2014-8884, Low)
Red Hat would like to thank Eric Windisch of the Docker project for
reporting CVE-2015-0274, Andy Lutomirski for reporting CVE-2014-3690, and
Robert Święcki for reporting CVE-2014-7825 and CVE-2014-7826.
This update also fixes several hundred bugs and adds numerous enhancements.
Refer to the Red Hat Enterprise Linux 7.1 Release Notes for information on
the most significant of these changes, and the following Knowledgebase
article for further information: https://access.redhat.com/articles/1352803
All Red Hat Enterprise Linux 7 users are advised to install these updated
packages, which correct these issues and add these enhancements. The system
must be rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3690">CVE-2014-3690</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3940">CVE-2014-3940</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7825">CVE-2014-7825</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7826">CVE-2014-7826</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8086">CVE-2014-8086</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8160">CVE-2014-8160</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8172">CVE-2014-8172</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8173">CVE-2014-8173</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8709">CVE-2014-8709</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8884">CVE-2014-8884</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0274">CVE-2015-0274</cve>
<bugzilla href="https://bugzilla.redhat.com/839966" id="839966">Trigger RHEL7 crash in guest domU, host don't generate core file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/915335" id="915335">RFE: Multiple virtio-rng devices support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/968147" id="968147">enable online multiple hot-added CPUs cause RHEL7.0 guest hang(soft lockup)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1043379" id="1043379">guest screen fail to return back to the originally screen after resume from S3(still black screen)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1050834" id="1050834">lockdep warning in flush_work() when hotunplugging a virtio-scsi disk (scsi-block + iscsi://)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1058608" id="1058608">[RFE] btrfs-progs: btrfs resize doesn't support T/P/E suffix</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1065474" id="1065474">Size of external origin needs to be aligned with thin pool chunk size</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1067126" id="1067126">Virt-manager doesn't configure bridge for VM</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1068627" id="1068627">implement lazy save/restore of debug registers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1071340" id="1071340">FCoE target: kernel panic when initiator connects to target</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1074747" id="1074747">kvm unit test "realmode" fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1078775" id="1078775">During query cpuinfo during guest boot from ipxe repeatedly in AMD hosts, vm repeatedly reboot.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1079841" id="1079841">kvm unit test "debug" fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1080894" id="1080894">dm-cache: crash on creating cache</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1083860" id="1083860">kernel panic when virtscsi_init fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1083969" id="1083969">libguestfs-test-tool hangs when the guest is boot with -cpu host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086058" id="1086058">fail to boot L2 guest on wildcatpass Haswell host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088784" id="1088784">qemu ' KVM internal error. Suberror: 1' when query cpu frequently during pxe boot in Intel "Q95xx" host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1091818" id="1091818">Windows guest booting failed with apicv and hv_vapic</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1095099" id="1095099">RHEL7.0 guest hang during kdump with qxl shared irq</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098643" id="1098643">sync with latest upstream dm-thin provisioning improvements and fixes (through 3.15)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102641" id="1102641">BUG: It is not possible to communicate between local program and local ipv6 address when at least one 'netlabelctl unlbl' rule is added</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104097" id="1104097">CVE-2014-3940 Kernel: missing check during hugepage migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1115201" id="1115201">[xfs] can't create inodes in newly added space after xfs_growfs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117542" id="1117542">Support for movntdq</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119662" id="1119662">BUG: NetLabel lead to kernel panic on some SELinux levels</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120850" id="1120850">unable recover NFSv3 locks NLM_DENIED_NOLOCK</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1124880" id="1124880">[fuse] java.io.FileNotFoundException (FNF) during time period with unrecovered disk errors</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127218" id="1127218">Include fix commit daba287b299ec7a ("ipv4: fix DO and PROBE pmtu mode regarding local fragmentation with UFO/CORK")</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131552" id="1131552">Solarflare devices do not provide PCIe ACS support, limiting device assignment use case due to IOMMU grouping</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141399" id="1141399">Device 'vfio-pci' could not be initialized when passing through Intel 82599</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151353" id="1151353">CVE-2014-8086 Kernel: fs: ext4 race condition</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153322" id="1153322">CVE-2014-3690 kernel: kvm: vmx: invalid host cr4 handling across vm entries</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161565" id="1161565">CVE-2014-7825 CVE-2014-7826 kernel: insufficient syscall number validation in perf and ftrace subsystems</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1164266" id="1164266">CVE-2014-8884 kernel: usb: buffer overflow in ttusb-dec</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1173580" id="1173580">CVE-2014-8709 kernel: net: mac80211: plain text information leak</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182059" id="1182059">CVE-2014-8160 kernel: iptables restriction bypass if a protocol handler kernel module not loaded</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195248" id="1195248">CVE-2015-0274 kernel: xfs: replacing remote attributes memory corruption</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198457" id="1198457">CVE-2014-8173 kernel: NULL pointer dereference in madvise(MADV_WILLNEED) support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198503" id="1198503">CVE-2014-8172 kernel: soft lockup on aio</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290009"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290015"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290011"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290027"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290029"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290013"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290019"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290023"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290021"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.el7" test_ref="oval:com.redhat.rhsa:tst:20150290017"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150301" version="601">
<metadata>
<title>RHSA-2015:0301: hivex security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0301-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0301.html" source="RHSA"/>
<reference ref_id="CVE-2014-9273" ref_url="https://access.redhat.com/security/cve/CVE-2014-9273" source="CVE"/>
<description>Hive files are undocumented binary files that Windows uses to store the
Windows Registry on disk. Hivex is a library that can read and write to
these files.
It was found that hivex attempted to read beyond its allocated buffer when
reading a hive file with a very small size or with a truncated or
improperly formatted content. An attacker able to supply a specially
crafted hive file to an application using the hivex library could possibly
use this flaw to execute arbitrary code with the privileges of the user
running that application. (CVE-2014-9273)
Red Hat would like to thank Mahmoud Al-Qudsi of NeoSmart Technologies for
reporting this issue.
The hivex package has been upgraded to upstream version 1.3.10, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1023978)
This update also fixes the following bugs:
* Due to an error in the hivex_value_data_cell_offset() function, the hivex
utility could, in some cases, print an "Argument list is too long" message
and terminate unexpectedly when processing hive files from the Windows
Registry. This update fixes the underlying code and hivex now processes
hive files as expected. (BZ#1145056)
* A typographical error in the Win::Hivex.3pm manual page has been
corrected. (BZ#1099286)
Users of hivex are advised to upgrade to these updated packages, which
correct these issues and adds these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9273">CVE-2014-9273</cve>
<bugzilla href="https://bugzilla.redhat.com/1023978" id="1023978">Rebase hivex in RHEL 7.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1099286" id="1099286">typo error in man page</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1145056" id="1145056">hivexml generate "Argument list too long" on some Windows Registry</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158992" id="1158992">CVE-2014-9273 hivex: missing checks for small-sized files [rhel-7.1]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167756" id="1167756">CVE-2014-9273 hivex: missing checks for small-sized files</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="hivex is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301005"/>
<criterion comment="hivex is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301006"/>
</criteria>
<criteria operator="AND">
<criterion comment="hivex-devel is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301011"/>
<criterion comment="hivex-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301012"/>
</criteria>
<criteria operator="AND">
<criterion comment="ocaml-hivex is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301007"/>
<criterion comment="ocaml-hivex is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301008"/>
</criteria>
<criteria operator="AND">
<criterion comment="ocaml-hivex-devel is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301017"/>
<criterion comment="ocaml-hivex-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301018"/>
</criteria>
<criteria operator="AND">
<criterion comment="perl-hivex is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301015"/>
<criterion comment="perl-hivex is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301016"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-hivex is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301013"/>
<criterion comment="python-hivex is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ruby-hivex is earlier than 0:1.3.10-5.7.el7" test_ref="oval:com.redhat.rhsa:tst:20150301009"/>
<criterion comment="ruby-hivex is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150301010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150323" version="601">
<metadata>
<title>RHSA-2015:0323: libvirt security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0323-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0323.html" source="RHSA"/>
<reference ref_id="CVE-2014-8136" ref_url="https://access.redhat.com/security/cve/CVE-2014-8136" source="CVE"/>
<reference ref_id="CVE-2015-0236" ref_url="https://access.redhat.com/security/cve/CVE-2015-0236" source="CVE"/>
<description>The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems.
It was found that QEMU's qemuDomainMigratePerform() and qemuDomainMigrateFinish2() functions did not correctly perform a domain unlock on a failed ACL check. A remote attacker able to establish a connection to libvirtd could use this flaw to lock a domain of a more privileged user, causing a denial of service. (CVE-2014-8136)
It was discovered that the virDomainSnapshotGetXMLDesc() and virDomainSaveImageGetXMLDesc() functions did not sufficiently limit the usage of the VIR_DOMAIN_XML_SECURE flag when fine-grained ACLs were enabled. A remote attacker able to establish a connection to libvirtd could use this flaw to obtain certain sensitive information from the domain XML file. (CVE-2015-0236)
The CVE-2015-0236 issue was found by Luyao Huang of Red Hat.
Bug fixes:
* The libvirtd daemon previously attempted to search for SELinux contexts even when SELinux was disabled on the host. Consequently, libvirtd logged "Unable to lookup SELinux process context" error messages every time a client connected to libvirtd and SELinux was disabled. libvirtd now verifies whether SELinux is enabled before searching for SELinux contexts, and no longer logs the error messages on a host with SELinux disabled. (BZ#1135155)
* The libvirt utility passed incomplete PCI addresses to QEMU. Consequently, assigning a PCI device that had a PCI address with a non-zero domain to a guest failed. Now, libvirt properly passes PCI domain to QEMU when assigning PCI devices, which prevents the described problem. (BZ#1127080)
* Because the virDomainSetMaxMemory API did not allow changing the current memory in the LXC driver, the "virsh setmaxmem" command failed when attempting to set the maximum memory to be lower than the current memory. Now, "virsh setmaxmem" sets the current memory to the intended value of the maximum memory, which avoids the mentioned problem. (BZ#1091132)
* Attempting to start a non-existent domain caused network filters to stay locked for read-only access. Because of this, subsequent attempts to gain read-write access to network filters triggered a deadlock. Network filters are now properly unlocked in the described scenario, and the deadlock no longer occurs. (BZ#1088864)
* If a guest configuration had an active nwfilter using the DHCP snooping feature and an attempt was made to terminate libvirtd before the associated nwfilter rule snooped the guest IP address from DHCP packets, libvirtd became unresponsive. This problem has been fixed by setting a longer wait time for snooping the guest IP address. (BZ#1075543)
Enhancements:
* A new "migrate_host" option is now available in /etc/libvirt/qemu.conf, which allows users to set a custom IP address to be used for incoming migrations. (BZ#1087671)
* With this update, libvirt is able to create a compressed memory-only crash dump of a QEMU domain. This type of crash dump is directly readable by the GNU Debugger and requires significantly less hard disk space than the standard crash dump. (BZ#1035158)
* Support for reporting the NUMA node distance of the host has been added to libvirt. This enhances the current libvirt capabilities for reporting NUMA topology of the host, and allows for easier optimization of new domains. (BZ#1086331)
* The XML file of guest and host capabilities generated by the "virsh capabilities" command has been enhanced to list the following information, where relevant: the interface speed and link status of the host, the PCI Express (PCIe) details, the host's hardware support for I/O virtualization, and a report on the huge memory pages. (BZ#1076960, BZ#1076957, BZ#1076959, BZ#1076962)
These packages also include a number of other bug fixes and enhancements. For additional details, see the "Bugs Fixed" section below.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2014-08-01"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8136">CVE-2014-8136</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0236">CVE-2015-0236</cve>
<bugzilla href="https://bugzilla.redhat.com/706887" id="706887">[TestOnly] qemu truncates JSON numbers >= 0x8000_0000_0000_0000</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/765733" id="765733">Error reporting when qemu terminates unexpectedly is inconsistent and sometimes unhelpful</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/823535" id="823535">Libvirt is sensitive to the order in which the video devices are passed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/872628" id="872628">List available LXC consoles using container_ttys env variable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/874418" id="874418">clear the error message when dump a guest with pass-through device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/876829" id="876829">create external checkpoint snapshot will change the guest pmsuspended state and guest hang forever</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/877244" id="877244">Virsh command will delay a long time if restart libvirtd with many virtual networks running</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/878394" id="878394">virsh iface-dumpxml or virt-manager reports "bond interface misses the bond element" for inactive bond interfaces</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/880483" id="880483">Guest can use inactive macvtap-passthrough network</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/921094" id="921094">Missing auditing for serial, parallel, channel, console and smartcard devices</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/924853" id="924853">blockcopy to cifs fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/956506" id="956506">virsh snapshot-delete --children-only bypasses safety check for deleting disk-only children</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/957293" id="957293">support libiscsi for SCSI passthrough devices</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/963817" id="963817">Stable SCSI host addressing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/964177" id="964177">virConnectDomainEventRTCChangeCallback returns wrong offset</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/967493" id="967493">Lockfailure action Ignore will lead to sanlock rem_lockspace stuck</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/967494" id="967494">Lockfailure action Restart can shutdown the guest but fail to start it</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/972964" id="972964">WWN option for Hot Attaching SCSI Disks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/983350" id="983350">The running Guest was paused while cancel the migration on the third machine</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/985782" id="985782">Some flag values of method are missing in libvirt-python bindings</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/985980" id="985980">virsh vcpuinfo output is difficult to read with large cpu counts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/990418" id="990418">Provide option to enable/disable 64-bit PCI hole</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/991290" id="991290">Fail to modify the name attribute of ipv6 dhcp host via virsh net-update</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/992980" id="992980">Separate limits for anonymous and authenticated users</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/994731" id="994731">Documentation for virDomainLookupBy* should mention caller's responsibility to free virDomainPtr</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/995377" id="995377">Domain without autostart can't be resumed by the libvirt-guests script after rebooting the host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/997802" id="997802">domdisplay should show all URI if config both vnc and spice in guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/999926" id="999926">Policy denies libvirtd the permission to relabel unix domain sockets</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1006700" id="1006700">need add "interface" to virt-xml-validate manual page</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1007698" id="1007698">The cpu_shares value of domain xml should be consistent with return value of schedinfo.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1007759" id="1007759">libvirt should forbid to attach a device with boot order for the first time if the os/boot element exists</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1021703" id="1021703">[RFE] Support for qemu-kvm's "-boot splash_time" parameter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1022874" id="1022874">In man page of virsh, a typo 'COMMMANDS' displays three times</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1023366" id="1023366">[virsh cmd] Error message is not clear for commands blkiotune and schedinfo</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1025407" id="1025407">autoport='yes' doesn't skip over ports in use with IPv6</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1027076" id="1027076">Fail to start lxc with disabled selinux due to the existed empty /selinux</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1029266" id="1029266">Error message is not clear for command nwfilter-define under non-root user.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1029732" id="1029732">Libvirt can not update/modify queues value of interface element using update-device command</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1032363" id="1032363">document need to pass image name for block backed disks with --disk-only</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033398" id="1033398">Nodedev-destroy commands both doc and error message when destroy HBA are not clear</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033704" id="1033704">domain xml: libvirt should take defaultMode value into account when discarding <channel ... mode='MODE'/> entries</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1035128" id="1035128">Stable guest ABI doesn't check redirected usb device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1035966" id="1035966">Start autostarted virtual networks in background</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1041569" id="1041569">[NFR] libvirt: Returning the allocation watermark for all the images opened for writing during block-commit</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1043735" id="1043735">virsh command domiftune bound parameter checking error</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1046192" id="1046192">Can't set the timer base as localtime once localtime is used in the variable attribute.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1047818" id="1047818">VFs can not be listed by net-dumpxml directly after starting the hostdev network</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1052114" id="1052114">guest fail to start with permission denied error when with gluster volume</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1056902" id="1056902">virsh attach-interface/detach-interface mishandles inactive configuration on device hot(un)plug commands</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1062142" id="1062142">live snapshot merge (commit) of the active layer</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1064770" id="1064770">Fail to update floor attribute of QoS using updateDeviceFlags</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066280" id="1066280">Fail to restore guest from the save file while set the static selinux lable for the guest and set the relabel='no' in the guest's xml</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066894" id="1066894">Implement for libvirt guest's xml for security label</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1067338" id="1067338">Mem leak while start a guest with a character followed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1069784" id="1069784">block commit/pull support for disks using libgfapi volumes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1070680" id="1070680">cpu-stats boundary value problem</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1071095" id="1071095">Libvirt report incorrect error message when parsing invalid value of CTRL_IP_LEARNING in nwfilter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1072141" id="1072141">"pool-list --type gluster" list other types pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1072292" id="1072292">Libvirt report incorrect message when starting domain with nwfilter whose chain priority is greater than its filter rule priority</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1072653" id="1072653">vol-upload should change the volume target format type after uploading a different format file to it</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1072677" id="1072677">Incorrect error message when hot-plugging interface with an inexistence nwfilter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1073368" id="1073368">[libvirt] can create live snapshot of passthrough device (iSCSI LUN or block device)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1075290" id="1075290">gluster option is not showed in virsh --version=long</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1075299" id="1075299">Failed to get the vol-name by giving volume path in gluster pool.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1075543" id="1075543">Libvirt does not terminate when DHCP snooping is being used</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076098" id="1076098">[RFE] allow setting video ram size (vgamem_mb) for qemu vga cards.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076725" id="1076725">libvirt: Multi-node NUMA policy assignment</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076957" id="1076957">Expose huge pages information through libvirt API</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076959" id="1076959">Expose host hardware support for I/O virtualization via libvirt API</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076960" id="1076960">Expose interface speed and link information via API</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076962" id="1076962">Expose PCIe BW and lane information through API</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076989" id="1076989">Enable complex memory requirements for virtual machines</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1077009" id="1077009">It shouldn't be permitted to change the uuid of a nwfilter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1077572" id="1077572">Python setInterfaceParameters function is broken</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1078590" id="1078590">use of tls with libvirt.so can leave zombie processes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1079162" id="1079162">The guest will be destroyed abnormally while revert the guest's snapshot which took in "pmsuspended" status</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1079173" id="1079173">libvirt can not do vol-download for gluster pool volume</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1080859" id="1080859">[Snapshot Doc] In snapshot-create-as manual page, supported snapshot type should be no, internal and external</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1081461" id="1081461">Dropped guest network connection during migration (before it finished)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1081881" id="1081881">Fail to start guest with 2 displays mixed with port allocated automatically and fixed port.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1081932" id="1081932">the return value of API virNodeDevice.listCaps() is not correct</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1082124" id="1082124">RHEL7 libvirt vs older qemu: unable to execute QEMU command 'qom-get': The command qom-get has not been found</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1082521" id="1082521">The sg disk is not really shared within 2 guests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1083345" id="1083345">The --memspec parameters "snapshot=no" doesn't work when creating internal disk snapshot</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1084360" id="1084360">[doc] Document behavior of --reuse-external (VIR_DOMAIN_SNAPSHOT_CREATE_REUSE_EXT)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1085706" id="1085706">virsh numatune should forbid to accept int as parameter values</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1085769" id="1085769">[Stroage][vol-clone] Volume was cloned successfully when passing an non-existing pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086121" id="1086121">Improve the error message when failed to restore a guest with a not availabe disk with startupPolicy='optional'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086704" id="1086704">Don't allow aio=native without cache=none</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1087104" id="1087104">[Storage][vol-download] virsh cmd vol-download works with option offset and length by passing a negative integer</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088667" id="1088667">[storage] some volume related virsh commands work when the passed volume is not one volume of the passed pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088787" id="1088787">Libvirt should clean up socket file on destroyed domain with UNIX character device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088864" id="1088864">nwfilter deadlock</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088901" id="1088901">Fail to do external disk-only snapshot when guest use FC storage</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1089179" id="1089179">The error is inaccurate when create snapshot with memspec snapshot=external and diskspec snapshot=no</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1091866" id="1091866">volume is disappered after vol-wipe with logical type pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1092253" id="1092253">Improve the error message when blockpull with a wrong base path</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1092363" id="1092363">[RHEL7] Virsh cmd maxvcpus returns 255 for kvm type, but the maximum number of vcpus supported by kvm is 160.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1093127" id="1093127">RFE: report NUMA node locality for PCI devices</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1095035" id="1095035">[RHEL7][Storage]The "lazy_refcounts" feature was missing in the xml printed by vol-dumpxml for a qcow3 disk in a native gluster pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1095636" id="1095636">SELinux prevent qemu from attaching tuntap queues</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097028" id="1097028">Don't fail starting domain without cpu, cpuset and cpuacct cgroups controllers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097503" id="1097503">guest will be paused and can't resume when do external system checkpoint snapshot with wrong compression format</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097677" id="1097677">libvirt loses track of hotplugged vcpus after daemon restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097968" id="1097968">libvirt-python API baselineCPU doesn't generate exception</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098659" id="1098659">libvirt binds only to ipv6</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1099978" id="1099978">Maintain relative path to backing file image during live merge (block-commit)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1100769" id="1100769">blkiotune weight range should be (10, 1000)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101059" id="1101059">virsh vcpupin need accurate error message when --vcpu argument is negative</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101510" id="1101510">no need to require iptables-ipv6</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101731" id="1101731">Rebase libvirt to current upstream release</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101987" id="1101987">Libvirt should report error when try to revert guest to external system checkpoint snapshot</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1101999" id="1101999">virt-xml-validate should pass when netfs pool xml with glusterfs backend</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102611" id="1102611">The running guest will disappear while change the security_driver from "none" to "selinux"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1103245" id="1103245">libvirt reset rtc interrupt backlog after guest-set-time</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104992" id="1104992">Guest fail to start while disks use same no-exist source file even though with startupPolicy='optional'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104993" id="1104993">Garbage characters show in the output of pool-name with no-exist pool UUID</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1105939" id="1105939">Fail to start guest while disable the default security labeling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108593" id="1108593">Libvirtd will crash while start a guest which DAC's seclabel type='none' in guest's xml</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110198" id="1110198">domblkinfo doesn't work when guest use glusterfs as source</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110212" id="1110212">The error info is not correct when do blockcommit with --base and --top point to same source</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1110673" id="1110673">typo errors in man page VIRSH(1)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1111044" id="1111044">capabilities mode hostdev shouldn't be added in KVM</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112939" id="1112939">libvirt should prompt more readable error message while ide/sata bus disk do not support readonly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113116" id="1113116">[RFE] add API to query the stats of multiple VMs at once</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113332" id="1113332">python bindings for graphics event have wrong value for address type</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113668" id="1113668">libvirt failed to start a domain with unix+guestfwd channel</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113861" id="1113861">The guest will disappear after restart the libvirtd service while set seclabel type='static' model='none' relabel='yes'/> in guest's xml.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113868" id="1113868">domxml-to-native fails for spice graphics with autoport='yes' when spice_tls is disabled</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1115898" id="1115898">[RFE] Add events for cputune and iotune change</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118710" id="1118710">The error info is not accurate when do vol-wipe with volume based on gluster pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119206" id="1119206">RFE: Multiple virtio-rng devices support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119215" id="1119215">Generate the redundant record in guest's xml while configure the same listen address in guest's xm</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119387" id="1119387">The default behavor of abort block job with pivot flag isn't sync</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119592" id="1119592">libvirt will report error after use pool-build in Non-root mode(qemu:///session)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119784" id="1119784">QMP: extend block events with error information</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121837" id="1121837">numatune can use nodeset 0,^0 but can't edit xml like this</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121955" id="1121955">virsh command takes long time to finish after set "log_level = 1" only</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122255" id="1122255">'virsh desc $dom blah' doesn't survive libvirtd restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122455" id="1122455">libvirt should refuse to start domain with unsupported/useless min-guarantee element in qemu driver</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122973" id="1122973">missing pci address for vga devices</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126329" id="1126329">Libvirt should forbid using relative path to the new overaly snapshot image for external snapshots</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126721" id="1126721">[Doc] Attribute name vlan-id should be vlanid in nwfilter xml docs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126909" id="1126909">Wrong block job type reported for active layer commit</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126991" id="1126991">[libvirt] expose ivshmem</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1128097" id="1128097">Can't use domiftune --inbound 0 or --outbound 0 to clear inbound or outbound settings for a shut off guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1128751" id="1128751"><driver/> isn't always formated as it should be</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1129207" id="1129207">libvirtd will crash after do managedsave the same guest in the same time</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1129372" id="1129372">Failed to start domain with specified cputune after decreasing vcpu number</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1129998" id="1129998">numatune --mode can't work well</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1130089" id="1130089">Possible deadlock when the domain is destroyed on destination during migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1130379" id="1130379">[Doc]no manual about metadata command in virsh manual</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131306" id="1131306">number range should be checked for the 4 new options of blkiotune</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131445" id="1131445">Could not show process info for migration at once.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131788" id="1131788">blkdeviotune should can be used in session mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131811" id="1131811">The iotune element will disappear from the guest's xml while set an invalid value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131819" id="1131819">Libvirtd crash while set blkdeviotune with the hotplug disk and specify the --config option</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131876" id="1131876">The range for blkdeviotune was different in guest's xml and virsh command line</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131897" id="1131897">virDomainSetMemoryFlags doesn't process flag VIR_DOMAIN_MEM_MAXIMUM for LXC</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132301" id="1132301">Error msg is not right for option -k and -K against virsh command</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132305" id="1132305">option -k and -K should point out range of reasonable values against virsh command</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132347" id="1132347">Libvirt crash after defining/editing macvtap network pool with <address> elements</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134154" id="1134154">snapshot's race condition</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134454" id="1134454">pkg-config --libs contains cflags</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135169" id="1135169">blockcopy job was cancel by "CTRL+C" while it show there still be one block job in background</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135339" id="1135339">active commit will be cancelled by another commit</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135396" id="1135396">Honor hugepage settings on UMA guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135431" id="1135431">libvirt should pass "-enable-fips" to QEMU</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135955" id="1135955">The usage for migrate's option --auto-converge missed in virsh man page</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1136736" id="1136736">Failed to remove libvirt-daemon-1.2.8-1.el7.x86_64 package</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138221" id="1138221">Fail to managedsave while configure <cpu mode='host-model'> in the guest's xml</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138231" id="1138231">Report better error when backing chain detection fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138487" id="1138487">one of guest will be shut off when restart libvirtd while disable the default security labeling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138545" id="1138545">guest NUMA cannot start when automatic NUMA placement</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1139567" id="1139567">virsh cmd will hang when remove blockcopy file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140085" id="1140085">guest interface which use existing bridge source bridge will disappear after libvirtd restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140981" id="1140981">Libvirt should post more accurate error when do blockpull with qemu-kvm</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140984" id="1140984">sub-element in <disk>...</disk> change after create external disk snapshot</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141209" id="1141209">Back port selected upstream Coverity resolutions since 1.2.8</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141621" id="1141621">libvirtd will crashed after hot-plug a virtual NIC to a guest which use qemu-attach connect to libvirtd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141732" id="1141732">wrong QMP argument 'id' when detaching iscsi hostdev</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141943" id="1141943">libvirtd crash when defining scsi storage pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142294" id="1142294">libvirt should report error when failed to use domtime to set a guest time</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142693" id="1142693">[RFE] Add a qemu resume hook that is able to preprocess the domain XML</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142722" id="1142722">libvirtd dead while destroy one guest with block disk</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1143780" id="1143780">Deadlock on nwfilter when taking same concurrent jobs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1143955" id="1143955">libvirtd crashed after running "virsh metadata --remove" command</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144303" id="1144303">memory leak when starting a domain with cpu mode='host-model'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144920" id="1144920">libvirtd crashed after use qemu-monitor-event --regex to a running guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144922" id="1144922">wrong backingStore info after blockpull and destroy/start guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1145048" id="1145048">freepages argument has wrong unit and range</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1145050" id="1145050">API virNodeGetFreePages need report specific error when node out of range</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1146511" id="1146511">Updating blkdeviotune for live domain doesn't survive restarting the libvirtd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1146550" id="1146550">USB Redirection no longer works: Permission Denied</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1146837" id="1146837">Libvirtd crash when defining scsi pool with 'scsi_host' type adapter and parentaddr attribute</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147331" id="1147331">[migration] Tunnelled migration failed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147494" id="1147494">libvirtd crashes when starting a domain with 0 cpu shares</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147584" id="1147584">save/managedsave doesn't work with host-passthrough</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150322" id="1150322">libvirt should recognize __com.redhat_change-backing-file for relative path preservation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150505" id="1150505">Domain is out of control from libvirt when running some concurrent define/undefine/start/destroy jobs rapidly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151718" id="1151718">Permission denied when create external snapshot for guest whose source file based on nfs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151885" id="1151885">libvirtd loses track of a running restored guest with host-passthrough cpu</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1152382" id="1152382">[NPIV] The volume in scsi pool appears only after refreshing pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155410" id="1155410">An LXC domain without console dies soon after start</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155441" id="1155441">forbid NIC offloads change on the fly using update-device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155458" id="1155458">libvirt can not save mode='client' of vhostuser interface to domain xml</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1156288" id="1156288">libvirtd crashed on disk snapshot with rdma glusterfs image</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1156367" id="1156367">network using host bridge gets a MAC on libvirt update</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158715" id="1158715">A memory error report when use domstats</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159227" id="1159227">lxc domain startup is slow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159245" id="1159245">repeated migration with NBD fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160084" id="1160084">domfsfreeze and domfsthaw cannot work well when guest restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160212" id="1160212">libvirt doesn't stop the NBD server after migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160565" id="1160565">Libvirt should check if the parent defined in xml matches the wwn of vHBA when starting pool</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160926" id="1160926">Destroying 'fc_host' pool the HBA is NOT destroyed when not using 'parent' attribute</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161024" id="1161024">libvirtd crashes after device hot-unplug crashes qemu</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161124" id="1161124">small memory leak in migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161358" id="1161358">[ACL] polkit: wrong attribute name 'interface_mac' for network interface in the documentation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161540" id="1161540">kvm_init_vcpu failed for cpu hot-plugging in NUMA</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162097" id="1162097">crash after attempted spice channel hotplug</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162208" id="1162208">libvirtd occasionally crashes at the end of migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162915" id="1162915">net-event should not report unsuccessful event</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162974" id="1162974">external disk snapshot with fault glusterfs snapshot xml crash libvirtd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163463" id="1163463">use after free in callers of virNetDevLinkDump</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163953" id="1163953">No way to turn off rdma-pin-all once it was turned on</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1164528" id="1164528">VM with a storage volume that contains a RBD volume in the backing chain fails to start</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166592" id="1166592">Failed to create logical volume with specified xml</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167145" id="1167145">networkMigrateStateFiles function does not work on xfs file system due to using unsupported t_type field</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167883" id="1167883">Report job type in virDomainGetJobInfo</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168866" id="1168866">"libvirtError: Unable to write to '/sys/fs/cgroup/cpuset/machine.slice/machine-qemu\x2dinstance\x2d00000002.scope/cpuset.mems': Device or resource busy"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169409" id="1169409">Libvirt will crash with segfault if you try to set non-existing nwfilter to network interface for live guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170484" id="1170484">guest can not start when setting " vcpu placement='auto' "</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174053" id="1174053">libvirtd crash when try to cold plug a network iscsi hostdev which guest already have a iscsi hostdev</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174090" id="1174090">extra space will be added to xml when update a network</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174859" id="1174859">missing support for -spice disable-agent-file-xfer qemu commandline option</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175234" id="1175234">virDomainGetSchedulerParameters() fails with Unable to read from '/sys/fs/cgroup/cpu,cpuacct/machine.slice/machine-qemu\x2dMic2.scope/cpu.shares': No such file or directory</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175397" id="1175397">memdev= option is not supported on rhel6 machine-types</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175668" id="1175668">Attach a usb disk to guest failed.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175709" id="1175709">Unable to start guest with hugepages and strict numa pinning</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176176" id="1176176">CVE-2014-8136 libvirt: local denial of service in qemu/qemu_driver.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1177194" id="1177194">Fail to Migrate with Bridged network, eth + macvtap ,with different interface name on two hosts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180136" id="1180136">Memory leak when parsing invalid network XML</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180574" id="1180574">migration rhel7.1 -> rhel7.0 wont work if you set "ram" < 2*"vgamem" for QXL device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181052" id="1181052">update default vgamem size from 8 MiB to 16 MiB</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181157" id="1181157">libvirtError: argument unsupported: QEMU driver does not support <metadata> element</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181408" id="1181408">Libvirtd crash while hotplug the guest agent without target type for many times</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182448" id="1182448">cpu features are not formatted in XML for host-model</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182486" id="1182486">libvirtd crashed when updating a IPv6 <host> and a IPv4 <host> into a IPv4 <ip> element</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184431" id="1184431">CVE-2015-0236 libvirt: missing ACL check for the VIR_DOMAIN_XML_SECURE flag in save images and snapshots objects</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libvirt is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323005"/>
<criterion comment="libvirt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-client is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323015"/>
<criterion comment="libvirt-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914034"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323013"/>
<criterion comment="libvirt-daemon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914016"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-network is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323017"/>
<criterion comment="libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-config-nwfilter is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323019"/>
<criterion comment="libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914022"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-interface is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323027"/>
<criterion comment="libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914028"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-lxc is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323011"/>
<criterion comment="libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-network is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323023"/>
<criterion comment="libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nodedev is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323007"/>
<criterion comment="libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323025"/>
<criterion comment="libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-qemu is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323041"/>
<criterion comment="libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-secret is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323029"/>
<criterion comment="libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-driver-storage is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323021"/>
<criterion comment="libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-kvm is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323037"/>
<criterion comment="libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914044"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-daemon-lxc is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323009"/>
<criterion comment="libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914030"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-devel is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323031"/>
<criterion comment="libvirt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914024"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-docs is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323033"/>
<criterion comment="libvirt-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-lock-sanlock is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323039"/>
<criterion comment="libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914042"/>
</criteria>
<criteria operator="AND">
<criterion comment="libvirt-login-shell is earlier than 0:1.2.8-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150323035"/>
<criterion comment="libvirt-login-shell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140914014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150325" version="603">
<metadata>
<title>RHSA-2015:0325: httpd security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0325-02" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0325.html" source="RHSA"/>
<reference ref_id="CVE-2013-5704" ref_url="https://access.redhat.com/security/cve/CVE-2013-5704" source="CVE"/>
<reference ref_id="CVE-2014-3581" ref_url="https://access.redhat.com/security/cve/CVE-2014-3581" source="CVE"/>
<description>The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. (CVE-2013-5704)
A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. (CVE-2014-3581)
This update also fixes the following bugs:
* Previously, the mod_proxy_fcgi Apache module always kept the back-end connections open even when they should have been closed. As a consequence, the number of open file descriptors was increasing over the time. With this update, mod_proxy_fcgi has been fixed to check the state of the back-end connections, and it closes the idle back-end connections as expected. (BZ#1168050)
* An integer overflow occurred in the ab utility when a large request count was used. Consequently, ab terminated unexpectedly with a segmentation fault while printing statistics after the benchmark. This bug has been fixed, and ab no longer crashes in this scenario. (BZ#1092420)
* Previously, when httpd was running in the foreground and the user pressed Ctrl+C to interrupt the httpd processes, a race condition in signal handling occurred. The SIGINT signal was sent to all children followed by SIGTERM from the main process, which interrupted the SIGINT handler. Consequently, the affected processes became unresponsive or terminated unexpectedly. With this update, the SIGINT signals in the child processes are ignored, and httpd no longer hangs or crashes in this scenario. (BZ#1131006)
In addition, this update adds the following enhancements:
* With this update, the mod_proxy module of the Apache HTTP Server supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used to connect UDS back ends. (BZ#1168081)
* This update adds support for using the SetHandler directive together with the mod_proxy module. As a result, it is possible to configure SetHandler to use proxy for incoming requests, for example, in the following format: SetHandler "proxy:fcgi://127.0.0.1:9000". (BZ#1136290)
* The htaccess API changes introduced in httpd 2.4.7 have been backported to httpd shipped with Red Hat Enterprise Linux 7.1. These changes allow for the MPM-ITK module to be compiled as an httpd module. (BZ#1059143)
All httpd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. After installing the updated packages, the httpd daemon will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-5704">CVE-2013-5704</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3581">CVE-2014-3581</cve>
<bugzilla href="https://bugzilla.redhat.com/1059143" id="1059143">Feature request: update httpd to 2.4.7 / backport htaccess API changes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1060536" id="1060536">mod_rewrite doesn't expose client_addr</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1073078" id="1073078">mod_ssl uses small DHE parameters for non standard RSA keys</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1073081" id="1073081">mod_ssl selects correct DHE parameters for keys only up to 4096 bit</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1080125" id="1080125">httpd uses hardcoded curve for ECDHE suites</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1082903" id="1082903">CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1114123" id="1114123">RFE: set vstring dynamically</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131006" id="1131006">Error in `/usr/sbin/httpd': free(): invalid pointer</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131847" id="1131847">authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost .</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1136290" id="1136290">SetHandler to proxy support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1149709" id="1149709">CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="httpd is earlier than 0:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325005"/>
<criterion comment="httpd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921006"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-devel is earlier than 0:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325019"/>
<criterion comment="httpd-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921014"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-manual is earlier than 0:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325007"/>
<criterion comment="httpd-manual is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921018"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-tools is earlier than 0:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325011"/>
<criterion comment="httpd-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_ldap is earlier than 0:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325009"/>
<criterion comment="mod_ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_proxy_html is earlier than 1:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325015"/>
<criterion comment="mod_proxy_html is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_session is earlier than 0:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325017"/>
<criterion comment="mod_session is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921016"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_ssl is earlier than 1:2.4.6-31.el7" test_ref="oval:com.redhat.rhsa:tst:20150325013"/>
<criterion comment="mod_ssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150327" version="601">
<metadata>
<title>RHSA-2015:0327: glibc security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0327-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0327.html" source="RHSA"/>
<reference ref_id="CVE-2014-6040" ref_url="https://access.redhat.com/security/cve/CVE-2014-6040" source="CVE"/>
<reference ref_id="CVE-2014-8121" ref_url="https://access.redhat.com/security/cve/CVE-2014-8121" source="CVE"/>
<description>The glibc packages provide the standard C libraries (libc), POSIX thread
libraries (libpthread), standard math libraries (libm), and the Name Server
Caching Daemon (nscd) used by multiple programs on the system. Without
these libraries, the Linux system cannot function correctly.
An out-of-bounds read flaw was found in the way glibc's iconv() function
converted certain encoded data to UTF-8. An attacker able to make an
application call the iconv() function with a specially crafted argument
could use this flaw to crash that application. (CVE-2014-6040)
It was found that the files back end of Name Service Switch (NSS) did not
isolate iteration over an entire database from key-based look-up API calls.
An application performing look-ups on a database while iterating over it
could enter an infinite loop, leading to a denial of service.
(CVE-2014-8121)
This update also fixes the following bugs:
* Due to problems with buffer extension and reallocation, the nscd daemon
terminated unexpectedly with a segmentation fault when processing long
netgroup entries. With this update, the handling of long netgroup entries
has been corrected and nscd no longer crashes in the described scenario.
(BZ#1138520)
* If a file opened in append mode was truncated with the ftruncate()
function, a subsequent ftell() call could incorrectly modify the file
offset. This update ensures that ftell() modifies the stream state only
when it is in append mode and the buffer for the stream is not empty.
(BZ#1156331)
* A defect in the C library headers caused builds with older compilers to
generate incorrect code for the btowc() function in the older compatibility C++ standard library. Applications calling btowc() in the compatibility C++ standard library became unresponsive. With this update, the C library headers have been corrected, and the compatibility C++ standard library shipped with Red Hat Enterprise Linux has been rebuilt. Applications that rely on the compatibility C++ standard library no longer hang when calling btowc(). (BZ#1120490)
* Previously, when using netgroups and the nscd daemon was set up to cache netgroup information, the sudo utility denied access to valid users. The bug in nscd has been fixed, and sudo now works in netgroups as
expected. (BZ#1080766)
Users of glibc are advised to upgrade to these updated packages, which fix these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2014-08-04"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-6040">CVE-2014-6040</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8121">CVE-2014-8121</cve>
<bugzilla href="https://bugzilla.redhat.com/1103874" id="1103874">Fix memory fencing error in unwind-forcedunwind.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1124453" id="1124453">getconf PATH returns non-directory "/bin"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1135841" id="1135841">CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138520" id="1138520">nscd segfaults when running sudo with netgroup caching enabled.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1165192" id="1165192">CVE-2014-8121 glibc: Unexpected closing of nss_files databases after lookups causes denial of service</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327005"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327007"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327009"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327013"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327017"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327011"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-78.el7" test_ref="oval:com.redhat.rhsa:tst:20150327015"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150330" version="601">
<metadata>
<title>RHSA-2015:0330: pcre security and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0330-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0330.html" source="RHSA"/>
<reference ref_id="CVE-2014-8964" ref_url="https://access.redhat.com/security/cve/CVE-2014-8964" source="CVE"/>
<description>PCRE is a Perl-compatible regular expression library.
A flaw was found in the way PCRE handled certain malformed regular
expressions. This issue could cause an application (for example, Konqueror)
linked against PCRE to crash while parsing malicious regular expressions.
(CVE-2014-8964)
This update also adds the following enhancement:
* Support for the little-endian variant of IBM Power Systems has been added to the pcre packages. (BZ#1123498, BZ#1125642)
All pcre users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue and add this enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2014-08-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8964">CVE-2014-8964</cve>
<bugzilla href="https://bugzilla.redhat.com/1166147" id="1166147">CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pcre is earlier than 0:8.32-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150330005"/>
<criterion comment="pcre is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150330006"/>
</criteria>
<criteria operator="AND">
<criterion comment="pcre-devel is earlier than 0:8.32-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150330007"/>
<criterion comment="pcre-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150330008"/>
</criteria>
<criteria operator="AND">
<criterion comment="pcre-static is earlier than 0:8.32-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150330011"/>
<criterion comment="pcre-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150330012"/>
</criteria>
<criteria operator="AND">
<criterion comment="pcre-tools is earlier than 0:8.32-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150330009"/>
<criterion comment="pcre-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150330010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150349" version="601">
<metadata>
<title>RHSA-2015:0349: qemu-kvm security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0349-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0349.html" source="RHSA"/>
<reference ref_id="CVE-2014-3640" ref_url="https://access.redhat.com/security/cve/CVE-2014-3640" source="CVE"/>
<reference ref_id="CVE-2014-7815" ref_url="https://access.redhat.com/security/cve/CVE-2014-7815" source="CVE"/>
<reference ref_id="CVE-2014-7840" ref_url="https://access.redhat.com/security/cve/CVE-2014-7840" source="CVE"/>
<reference ref_id="CVE-2014-8106" ref_url="https://access.redhat.com/security/cve/CVE-2014-8106" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM.
It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106)
An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815)
It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840)
A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640)
Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat.
Bug fixes:
* The KVM utility executed demanding routing update system calls every time it performed an MSI vector mask/unmask operation. Consequently, guests running legacy systems such as Red Hat Enterprise Linux 5 could, under certain circumstances, experience significant slowdown. Now, the routing system calls during mask/unmask operations are skipped, and the performance of legacy guests is now more consistent. (BZ#1098976)
* Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a qemu-kvm process terminated unexpectedly with a segmentation fault when the "write same" command was executed in guest mode under the iSCSI protocol. This update fixes the bug, and the "write same" command now functions in guest mode under iSCSI as intended. (BZ#1083413)
* The QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault. This update fixes the related code, and QEMU no longer crashes in the described situation. (BZ#1066338)
Enhancements:
* The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been increased to 240. This increases the number of virtual processing units that the user can assign to the guest, and therefore improves its performance potential. (BZ#1134408)
* Support for the 5th Generation Intel Core processors has been added to the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM guests to use the following instructions and features: ADCX, ADOX, RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP). (BZ#1116117)
* The "dump-guest-memory" command now supports crash dump compression. This makes it possible for users who cannot use the "virsh dump" command to require less hard disk space for guest crash dumps. In addition, saving a compressed guest crash dump frequently takes less time than saving a non-compressed one. (BZ#1157798)
* This update introduces support for flight recorder tracing, which uses SystemTap to automatically capture qemu-kvm data while the guest machine is running. For detailed instructions on how to configure and use flight recorder tracing, see the Virtualization Deployment and Administration Guide, linked to in the References section below. (BZ#1088112)</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2014-08-15"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3640">CVE-2014-3640</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7815">CVE-2014-7815</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7840">CVE-2014-7840</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8106">CVE-2014-8106</cve>
<bugzilla href="https://bugzilla.redhat.com/895436" id="895436">qemu-kvm core dump when guest do S3/S4 with max(232) virtio block devices (multifunction=on)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/949385" id="949385">passthrough USB speaker to win2012 guest fail to work well</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/980747" id="980747">flood with 'xhci: wrote doorbell while xHC stopped or paused' when redirected USB Webcam from usb-host with xHCI controller</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/980833" id="980833">xhci: FIXME: endpoint stopped w/ xfers running, data might be lost</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/990724" id="990724">qemu-kvm failing when invalid machine type is provided</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/996011" id="996011">vlan and queues options cause core dumped when qemu-kvm process quit(or ctrl+c)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/999789" id="999789">qemu should give a more friendly prompt when didn't specify read-only for VMDK format disk</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1002493" id="1002493">qemu-img convert rate about 100k/second from qcow2/raw to vmdk format on nfs system file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1017685" id="1017685">Gluster etc. should not be a dependency of vscclient and libcacard</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1021788" id="1021788">the error message "scsi generic interface too old" is wrong more often than not</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1026314" id="1026314">BUG: qemu-kvm hang when use '-sandbox on'+'vnc'+'hda'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1027565" id="1027565">fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1029271" id="1029271">Format specific information (create type) was wrong when create it specified subformat='streamOptimized'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1038914" id="1038914">Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1039791" id="1039791">qemu-img creates truncated VMDK image with subformat=twoGbMaxExtentFlat</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1046574" id="1046574">fail to passthrough the USB speaker redirected from usb-redir with xhci controller</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1046873" id="1046873">fail to be recognized the hotpluging usb-storage device with xhci controller in win2012R2 guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1049734" id="1049734">PCI: QEMU crash on illegal operation: attaching a function to a non multi-function device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1052093" id="1052093">qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1054077" id="1054077">qemu crash when reboot win7 guest with spice display</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1064156" id="1064156">[qxl] The guest show black screen while resumed guest which managedsaved in pmsuspended status.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1064647" id="1064647">qemu-kvm core dump when hot-plug virtio-blk-pci device with gluster backend</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1066338" id="1066338">Reduce the migrate cache size during migration causes qemu segment fault</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1074219" id="1074219">qemu core dump when install a RHEL.7 guest(xhci) with migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1074403" id="1074403">qemu-kvm can not give any warning hint when set sndbuf with negative value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1074913" id="1074913">migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1075846" id="1075846">qemu-kvm core dumped when hotplug/unhotplug USB3.0 device multi times</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076326" id="1076326">qemu-kvm does not quit when booting guest w/ 161 vcpus and "-no-kvm"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1079147" id="1079147">[WHQL][balloon][virtio-rng]ob named DPWLK-HotADD-Device Test- Verify dirver support for Hot-Add CPU made win2k8-R2 BSOD (0x7E)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1083413" id="1083413">qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1085701" id="1085701">Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086598" id="1086598">migrate_cancel wont take effect on previouly wrong migrate -d cmd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086987" id="1086987">src qemu crashed when starting migration in inmigrate mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088116" id="1088116">qemu crash when device_del usb-redir</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088150" id="1088150">qemu-img coredumpd when try to create a gluster format image</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088176" id="1088176">QEMU fail to check whether duplicate ID for block device drive using 'blockdev-add' to hotplug</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088695" id="1088695">there are four "gluster" in qemu-img supported format list</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088822" id="1088822">hot-plug a virtio-scsi disk via 'blockdev-add' always cause QEMU quit</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1089606" id="1089606">QEMU will not reject invalid number of queues (num_queues = 0) specified for virtio-scsi</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1093983" id="1093983">there are three "nbd" in qemu-img supported format list</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1094285" id="1094285">Hot plug CPU not working with RHEL6 machine types running on RHEL7 host.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1095645" id="1095645">vectors of virtio-scsi-pci will be 0 when set vectors>=129</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1096576" id="1096576">QEMU core dumped when boot up two scsi-hd disk on the same virtio-scsi-pci controller in Intel host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097020" id="1097020">[RFE] qemu-img: Add/improve Disk2VHD tools creating VHDX images</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097363" id="1097363">qemu ' KVM internal error. Suberror: 1' when query cpu frequently during pxe boot in Intel "Q95xx" host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098086" id="1098086">RFE: Supporting creating vmdk/vdi/vpc format disk with protocols (glusterfs)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104748" id="1104748">48% reduction in IO performance for KVM guest, io=native</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1107821" id="1107821">rdma migration: seg if destination isn't listening</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1111450" id="1111450">Guest crash when hotplug usb while disable virt_use_usb</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113009" id="1113009">Migration failed with virtio-blk from RHEL6.5.0 host to RHEL7.0 host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1116728" id="1116728">Backport qemu_bh_schedule() race condition fix</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1116941" id="1116941">Return value of virtio_load not checked in virtio_rng_load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118707" id="1118707">VMstate static checker: backport -dump-vmstate feature to export json-encoded vmstate info</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122151" id="1122151">Pass close from qemu-ga</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1123372" id="1123372">qemu-kvm crashed when doing iofuzz testing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1130428" id="1130428">After migration of RHEL7.1 guest with "-vga qxl", GUI console is hang</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131316" id="1131316">fail to specify wwn for virtual IDE CD-ROM</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134237" id="1134237">Opening malformed VMDK description file should fail</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134241" id="1134241">QEMU fails to correctly read/write on VMDK with big flat extent</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134251" id="1134251">Opening an obviously truncated VMDK image should fail</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134283" id="1134283">qemu-img convert from ISO to streamOptimized fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138639" id="1138639">fail to login spice session with password + expire time</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138691" id="1138691">Allow qemu-img to bypass the host cache (check, compare, convert, rebase, amend)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140618" id="1140618">Should replace "qemu-system-i386" by "/usr/libexec/qemu-kvm" in manpage of qemu-kvm for our official qemu-kvm build</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140742" id="1140742">Enable native qemu support for Ceph</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141667" id="1141667">Qemu crashed if reboot guest after hot remove AC97 sound device</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142290" id="1142290">guest is stuck when setting balloon memory with large guest-stats-polling-interval</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144818" id="1144818">CVE-2014-3640 qemu: slirp: NULL pointer deref in sosendto()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155518" id="1155518">qemu-kvm: undefined symbol: glfs_discard_async</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1157641" id="1157641">CVE-2014-7815 qemu: vnc: insufficient bits_per_pixel from the client sanitization</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160237" id="1160237">qemu-img convert intermittently corrupts output images</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161563" id="1161563">invalid QEMU NOTEs in vmcore that is dumped for multi-VCPU guests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163075" id="1163075">CVE-2014-7840 qemu: insufficient parameter validation during ram load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169454" id="1169454">CVE-2014-8106 qemu: cirrus: insufficient blit region checks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175325" id="1175325">Delete cow block driver</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180942" id="1180942">qemu core dumped when unhotplug gpu card assigned to guest</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349011"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349007"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349013"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349009"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349005"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349017"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7" test_ref="oval:com.redhat.rhsa:tst:20150349015"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150377" version="601">
<metadata>
<title>RHSA-2015:0377: libreoffice security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0377-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0377.html" source="RHSA"/>
<reference ref_id="CVE-2014-0247" ref_url="https://access.redhat.com/security/cve/CVE-2014-0247" source="CVE"/>
<reference ref_id="CVE-2014-3575" ref_url="https://access.redhat.com/security/cve/CVE-2014-3575" source="CVE"/>
<reference ref_id="CVE-2014-3693" ref_url="https://access.redhat.com/security/cve/CVE-2014-3693" source="CVE"/>
<description>LibreOffice is an open source, community-developed office productivity
suite. It includes key desktop applications, such as a word processor, a
spreadsheet, a presentation manager, a formula editor, and a drawing
program. LibreOffice replaces OpenOffice and provides a similar but
enhanced and extended office suite.
It was found that LibreOffice documents executed macros unconditionally,
without user approval, when these documents were opened using LibreOffice.
An attacker could use this flaw to execute arbitrary code as the user
running LibreOffice by embedding malicious VBA scripts in the document as
macros. (CVE-2014-0247)
A flaw was found in the OLE (Object Linking and Embedding) generation in
LibreOffice. An attacker could use this flaw to embed malicious OLE code in
a LibreOffice document, allowing for arbitrary code execution.
(CVE-2014-3575)
A use-after-free flaw was found in the "Remote Control" capabilities of the
LibreOffice Impress application. An attacker could use this flaw to
remotely execute code with the permissions of the user running LibreOffice
Impress. (CVE-2014-3693)
The libreoffice packages have been upgraded to upstream version 4.2.6.3,
which provides a number of bug fixes and enhancements over the previous
version. Among others:
* Improved OpenXML interoperability.
* Additional statistic functions in Calc (for interoperability with Excel
and Excel's Add-in "Analysis ToolPak").
* Various performance improvements in Calc.
* Apple Keynote and Abiword import.
* Improved MathML export.
* New Start screen with thumbnails of recently opened documents.
* Visual clue in Slide Sorter when a slide has a transition or an
animation.
* Improvements for trend lines in charts.
* Support for BCP-47 language tags. (BZ#1119709)
All libreoffice users are advised to upgrade to these updated packages,
which correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0247">CVE-2014-0247</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3575">CVE-2014-3575</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3693">CVE-2014-3693</cve>
<bugzilla href="https://bugzilla.redhat.com/1065807" id="1065807">[fix available] Usability - libreoffice does not search XDG defined "Templates" directory</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1096295" id="1096295">[fix available] Highlighting the currently selected slide vs the currently viewed slide is hard in impress</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1111083" id="1111083">CVE-2014-0247 libreoffice: VBA macros executed unconditionally</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1111216" id="1111216">[fix available] LibreOffice Calc: PDF export of an empty document fails with Write Error</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117853" id="1117853">[fix available] impress killed by SIGABRT on paste into outline view at a position where the slide has no title object</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119709" id="1119709">Rebase to latest stable LibreOffice 4.2.X in RHEL-7.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132065" id="1132065">rebase libcmis to 0.4.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132069" id="1132069">rebase mdds to 0.10.3</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132070" id="1132070">rebase libmwaw to 0.2.0</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132072" id="1132072">rebase libodfgen to 0.0.4</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1132077" id="1132077">rebase liblangtag to 0.5.4</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138882" id="1138882">CVE-2014-3575 openoffice: Arbitrary file disclosure via crafted OLE objects</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1164733" id="1164733">CVE-2014-3693 libreoffice: Use-After-Free in socket manager of Impress Remote</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mdds is earlier than 0:0.10.3-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377005"/>
<criterion comment="mdds is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377006"/>
</criteria>
<criteria operator="AND">
<criterion comment="mdds-devel is earlier than 0:0.10.3-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377007"/>
<criterion comment="mdds-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libmwaw is earlier than 0:0.2.0-4.el7" test_ref="oval:com.redhat.rhsa:tst:20150377009"/>
<criterion comment="libmwaw is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libmwaw-devel is earlier than 0:0.2.0-4.el7" test_ref="oval:com.redhat.rhsa:tst:20150377015"/>
<criterion comment="libmwaw-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377016"/>
</criteria>
<criteria operator="AND">
<criterion comment="libmwaw-doc is earlier than 0:0.2.0-4.el7" test_ref="oval:com.redhat.rhsa:tst:20150377011"/>
<criterion comment="libmwaw-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libmwaw-tools is earlier than 0:0.2.0-4.el7" test_ref="oval:com.redhat.rhsa:tst:20150377013"/>
<criterion comment="libmwaw-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377014"/>
</criteria>
<criteria operator="AND">
<criterion comment="libodfgen is earlier than 0:0.0.4-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377017"/>
<criterion comment="libodfgen is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libodfgen-devel is earlier than 0:0.0.4-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377021"/>
<criterion comment="libodfgen-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377022"/>
</criteria>
<criteria operator="AND">
<criterion comment="libodfgen-doc is earlier than 0:0.0.4-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377019"/>
<criterion comment="libodfgen-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcmis is earlier than 0:0.4.1-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377023"/>
<criterion comment="libcmis is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377024"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcmis-devel is earlier than 0:0.4.1-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377025"/>
<criterion comment="libcmis-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcmis-tools is earlier than 0:0.4.1-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377027"/>
<criterion comment="libcmis-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377028"/>
</criteria>
<criteria operator="AND">
<criterion comment="libabw is earlier than 0:0.0.2-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377029"/>
<criterion comment="libabw is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377030"/>
</criteria>
<criteria operator="AND">
<criterion comment="libabw-devel is earlier than 0:0.0.2-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377035"/>
<criterion comment="libabw-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377036"/>
</criteria>
<criteria operator="AND">
<criterion comment="libabw-doc is earlier than 0:0.0.2-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377033"/>
<criterion comment="libabw-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377034"/>
</criteria>
<criteria operator="AND">
<criterion comment="libabw-tools is earlier than 0:0.0.2-1.el7" test_ref="oval:com.redhat.rhsa:tst:20150377031"/>
<criterion comment="libabw-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libfreehand is earlier than 0:0.0.0-3.el7" test_ref="oval:com.redhat.rhsa:tst:20150377037"/>
<criterion comment="libfreehand is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libfreehand-devel is earlier than 0:0.0.0-3.el7" test_ref="oval:com.redhat.rhsa:tst:20150377041"/>
<criterion comment="libfreehand-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377042"/>
</criteria>
<criteria operator="AND">
<criterion comment="libfreehand-doc is earlier than 0:0.0.0-3.el7" test_ref="oval:com.redhat.rhsa:tst:20150377039"/>
<criterion comment="libfreehand-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libfreehand-tools is earlier than 0:0.0.0-3.el7" test_ref="oval:com.redhat.rhsa:tst:20150377043"/>
<criterion comment="libfreehand-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377044"/>
</criteria>
<criteria operator="AND">
<criterion comment="libetonyek is earlier than 0:0.0.4-2.el7" test_ref="oval:com.redhat.rhsa:tst:20150377045"/>
<criterion comment="libetonyek is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377046"/>
</criteria>
<criteria operator="AND">
<criterion comment="libetonyek-devel is earlier than 0:0.0.4-2.el7" test_ref="oval:com.redhat.rhsa:tst:20150377049"/>
<criterion comment="libetonyek-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377050"/>
</criteria>
<criteria operator="AND">
<criterion comment="libetonyek-doc is earlier than 0:0.0.4-2.el7" test_ref="oval:com.redhat.rhsa:tst:20150377051"/>
<criterion comment="libetonyek-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377052"/>
</criteria>
<criteria operator="AND">
<criterion comment="libetonyek-tools is earlier than 0:0.0.4-2.el7" test_ref="oval:com.redhat.rhsa:tst:20150377047"/>
<criterion comment="libetonyek-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377048"/>
</criteria>
<criteria operator="AND">
<criterion comment="liblangtag is earlier than 0:0.5.4-8.el7" test_ref="oval:com.redhat.rhsa:tst:20150377053"/>
<criterion comment="liblangtag is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377054"/>
</criteria>
<criteria operator="AND">
<criterion comment="liblangtag-devel is earlier than 0:0.5.4-8.el7" test_ref="oval:com.redhat.rhsa:tst:20150377059"/>
<criterion comment="liblangtag-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377060"/>
</criteria>
<criteria operator="AND">
<criterion comment="liblangtag-doc is earlier than 0:0.5.4-8.el7" test_ref="oval:com.redhat.rhsa:tst:20150377055"/>
<criterion comment="liblangtag-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377056"/>
</criteria>
<criteria operator="AND">
<criterion comment="liblangtag-gobject is earlier than 0:0.5.4-8.el7" test_ref="oval:com.redhat.rhsa:tst:20150377057"/>
<criterion comment="liblangtag-gobject is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377058"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-af is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377119"/>
<criterion comment="autocorr-af is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377120"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-bg is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377313"/>
<criterion comment="autocorr-bg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377314"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ca is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377129"/>
<criterion comment="autocorr-ca is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377130"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-cs is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377193"/>
<criterion comment="autocorr-cs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377194"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-da is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377133"/>
<criterion comment="autocorr-da is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377134"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-de is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377085"/>
<criterion comment="autocorr-de is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377086"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-en is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377251"/>
<criterion comment="autocorr-en is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377252"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-es is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377095"/>
<criterion comment="autocorr-es is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377096"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fa is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377155"/>
<criterion comment="autocorr-fa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377156"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fi is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377125"/>
<criterion comment="autocorr-fi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377126"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377273"/>
<criterion comment="autocorr-fr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377274"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ga is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377121"/>
<criterion comment="autocorr-ga is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377122"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-hr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377135"/>
<criterion comment="autocorr-hr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377136"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-hu is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377249"/>
<criterion comment="autocorr-hu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377250"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-is is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377071"/>
<criterion comment="autocorr-is is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377072"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-it is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377179"/>
<criterion comment="autocorr-it is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377180"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ja is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377257"/>
<criterion comment="autocorr-ja is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377258"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ko is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377309"/>
<criterion comment="autocorr-ko is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377310"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-lb is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377271"/>
<criterion comment="autocorr-lb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377272"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-lt is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377285"/>
<criterion comment="autocorr-lt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377286"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-mn is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377159"/>
<criterion comment="autocorr-mn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377160"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-nl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377239"/>
<criterion comment="autocorr-nl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377240"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-pl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377105"/>
<criterion comment="autocorr-pl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377106"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-pt is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377145"/>
<criterion comment="autocorr-pt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377146"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ro is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377317"/>
<criterion comment="autocorr-ro is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377318"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ru is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377167"/>
<criterion comment="autocorr-ru is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377168"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sk is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377225"/>
<criterion comment="autocorr-sk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377226"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377215"/>
<criterion comment="autocorr-sl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377216"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377091"/>
<criterion comment="autocorr-sr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377092"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sv is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377171"/>
<criterion comment="autocorr-sv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377172"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-tr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377191"/>
<criterion comment="autocorr-tr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377192"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-vi is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377131"/>
<criterion comment="autocorr-vi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377132"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-zh is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377237"/>
<criterion comment="autocorr-zh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377238"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377061"/>
<criterion comment="libreoffice is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377062"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-base is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377151"/>
<criterion comment="libreoffice-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377152"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-bsh is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377315"/>
<criterion comment="libreoffice-bsh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377316"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-calc is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377297"/>
<criterion comment="libreoffice-calc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377298"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-core is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377093"/>
<criterion comment="libreoffice-core is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377094"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-draw is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377275"/>
<criterion comment="libreoffice-draw is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377276"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-emailmerge is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377195"/>
<criterion comment="libreoffice-emailmerge is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377196"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-filters is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377265"/>
<criterion comment="libreoffice-filters is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377266"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-gdb-debug-support is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377087"/>
<criterion comment="libreoffice-gdb-debug-support is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377088"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-glade is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377261"/>
<criterion comment="libreoffice-glade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377262"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-graphicfilter is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377077"/>
<criterion comment="libreoffice-graphicfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377078"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-headless is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377083"/>
<criterion comment="libreoffice-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377084"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-impress is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377137"/>
<criterion comment="libreoffice-impress is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377138"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-af is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377201"/>
<criterion comment="libreoffice-langpack-af is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377202"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ar is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377099"/>
<criterion comment="libreoffice-langpack-ar is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377100"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-as is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377267"/>
<criterion comment="libreoffice-langpack-as is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377268"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-bg is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377291"/>
<criterion comment="libreoffice-langpack-bg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377292"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-bn is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377269"/>
<criterion comment="libreoffice-langpack-bn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377270"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-br is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377235"/>
<criterion comment="libreoffice-langpack-br is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377236"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ca is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377221"/>
<criterion comment="libreoffice-langpack-ca is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377222"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-cs is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377223"/>
<criterion comment="libreoffice-langpack-cs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377224"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-cy is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377189"/>
<criterion comment="libreoffice-langpack-cy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377190"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-da is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377069"/>
<criterion comment="libreoffice-langpack-da is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377070"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-de is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377153"/>
<criterion comment="libreoffice-langpack-de is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377154"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-dz is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377279"/>
<criterion comment="libreoffice-langpack-dz is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377280"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-el is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377311"/>
<criterion comment="libreoffice-langpack-el is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377312"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-en is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377255"/>
<criterion comment="libreoffice-langpack-en is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377256"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-es is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377143"/>
<criterion comment="libreoffice-langpack-es is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377144"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-et is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377295"/>
<criterion comment="libreoffice-langpack-et is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377296"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-eu is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377101"/>
<criterion comment="libreoffice-langpack-eu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377102"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fa is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377203"/>
<criterion comment="libreoffice-langpack-fa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377204"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fi is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377219"/>
<criterion comment="libreoffice-langpack-fi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377220"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377165"/>
<criterion comment="libreoffice-langpack-fr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377166"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ga is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377141"/>
<criterion comment="libreoffice-langpack-ga is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377142"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-gl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377259"/>
<criterion comment="libreoffice-langpack-gl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377260"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-gu is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377207"/>
<criterion comment="libreoffice-langpack-gu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377208"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-he is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377115"/>
<criterion comment="libreoffice-langpack-he is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377116"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hi is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377287"/>
<criterion comment="libreoffice-langpack-hi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377288"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377197"/>
<criterion comment="libreoffice-langpack-hr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377198"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hu is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377231"/>
<criterion comment="libreoffice-langpack-hu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377232"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-it is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377227"/>
<criterion comment="libreoffice-langpack-it is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377228"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ja is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377183"/>
<criterion comment="libreoffice-langpack-ja is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377184"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-kk is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377199"/>
<criterion comment="libreoffice-langpack-kk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377200"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-kn is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377263"/>
<criterion comment="libreoffice-langpack-kn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377264"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ko is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377247"/>
<criterion comment="libreoffice-langpack-ko is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377248"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-lt is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377063"/>
<criterion comment="libreoffice-langpack-lt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377064"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-lv is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377149"/>
<criterion comment="libreoffice-langpack-lv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377150"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-mai is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377127"/>
<criterion comment="libreoffice-langpack-mai is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377128"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ml is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377303"/>
<criterion comment="libreoffice-langpack-ml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377304"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-mr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377181"/>
<criterion comment="libreoffice-langpack-mr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377182"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nb is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377307"/>
<criterion comment="libreoffice-langpack-nb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377308"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377209"/>
<criterion comment="libreoffice-langpack-nl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377210"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nn is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377067"/>
<criterion comment="libreoffice-langpack-nn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377068"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377073"/>
<criterion comment="libreoffice-langpack-nr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377074"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nso is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377117"/>
<criterion comment="libreoffice-langpack-nso is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377118"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-or is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377211"/>
<criterion comment="libreoffice-langpack-or is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377212"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pa is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377205"/>
<criterion comment="libreoffice-langpack-pa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377206"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377123"/>
<criterion comment="libreoffice-langpack-pl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377124"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pt-BR is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377103"/>
<criterion comment="libreoffice-langpack-pt-BR is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377104"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pt-PT is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377185"/>
<criterion comment="libreoffice-langpack-pt-PT is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377186"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ro is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377097"/>
<criterion comment="libreoffice-langpack-ro is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377098"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ru is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377213"/>
<criterion comment="libreoffice-langpack-ru is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377214"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-si is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377217"/>
<criterion comment="libreoffice-langpack-si is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377218"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sk is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377187"/>
<criterion comment="libreoffice-langpack-sk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377188"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sl is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377079"/>
<criterion comment="libreoffice-langpack-sl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377080"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377301"/>
<criterion comment="libreoffice-langpack-sr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377302"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ss is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377169"/>
<criterion comment="libreoffice-langpack-ss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377170"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-st is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377241"/>
<criterion comment="libreoffice-langpack-st is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377242"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sv is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377281"/>
<criterion comment="libreoffice-langpack-sv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377282"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ta is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377111"/>
<criterion comment="libreoffice-langpack-ta is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377112"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-te is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377147"/>
<criterion comment="libreoffice-langpack-te is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377148"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-th is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377157"/>
<criterion comment="libreoffice-langpack-th is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377158"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-tn is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377233"/>
<criterion comment="libreoffice-langpack-tn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377234"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-tr is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377139"/>
<criterion comment="libreoffice-langpack-tr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377140"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ts is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377109"/>
<criterion comment="libreoffice-langpack-ts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377110"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-uk is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377089"/>
<criterion comment="libreoffice-langpack-uk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377090"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ve is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377175"/>
<criterion comment="libreoffice-langpack-ve is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377176"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-xh is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377299"/>
<criterion comment="libreoffice-langpack-xh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377300"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zh-Hans is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377173"/>
<criterion comment="libreoffice-langpack-zh-Hans is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377174"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zh-Hant is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377075"/>
<criterion comment="libreoffice-langpack-zh-Hant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377076"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zu is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377293"/>
<criterion comment="libreoffice-langpack-zu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377294"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-librelogo is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377081"/>
<criterion comment="libreoffice-librelogo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377082"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-math is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377253"/>
<criterion comment="libreoffice-math is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377254"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-nlpsolver is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377161"/>
<criterion comment="libreoffice-nlpsolver is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377162"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-ogltrans is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377289"/>
<criterion comment="libreoffice-ogltrans is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377290"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-opensymbol-fonts is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377065"/>
<criterion comment="libreoffice-opensymbol-fonts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377066"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-pdfimport is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377277"/>
<criterion comment="libreoffice-pdfimport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377278"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-postgresql is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377107"/>
<criterion comment="libreoffice-postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377108"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-pyuno is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377245"/>
<criterion comment="libreoffice-pyuno is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377246"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-rhino is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377229"/>
<criterion comment="libreoffice-rhino is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377230"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-sdk is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377243"/>
<criterion comment="libreoffice-sdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377244"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-sdk-doc is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377113"/>
<criterion comment="libreoffice-sdk-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377114"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-ure is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377163"/>
<criterion comment="libreoffice-ure is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377164"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-wiki-publisher is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377283"/>
<criterion comment="libreoffice-wiki-publisher is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377284"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-writer is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377177"/>
<criterion comment="libreoffice-writer is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377178"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-xsltfilter is earlier than 1:4.2.6.3-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150377305"/>
<criterion comment="libreoffice-xsltfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377306"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150383" version="601">
<metadata>
<title>RHSA-2015:0383: ppc64-diag security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0383-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0383.html" source="RHSA"/>
<reference ref_id="CVE-2014-4038" ref_url="https://access.redhat.com/security/cve/CVE-2014-4038" source="CVE"/>
<reference ref_id="CVE-2014-4039" ref_url="https://access.redhat.com/security/cve/CVE-2014-4039" source="CVE"/>
<description>The ppc64-diag packages provide diagnostic tools for Linux on the 64-bit
PowerPC platforms. The platform diagnostics write events reported by the
firmware to the service log, provide automated responses to urgent events,
and notify system administrators or connected service frameworks about the
reported events.
Multiple insecure temporary file use flaws were found in the way the
ppc64-diag utility created certain temporary files. A local attacker could
possibly use either of these flaws to perform a symbolic link attack and
overwrite arbitrary files with the privileges of the user running
ppc64-diag, or obtain sensitive information from the temporary files.
(CVE-2014-4038, CVE-2014-4039)
The ppc64-diag packages have been upgraded to upstream version 2.6.7, which
provides a number of bug fixes and enhancements over the previous version
including support for hot plugging of QEMU PCI devices. (BZ#1088493,
BZ#1084062)
This update also fixes the following bugs:
* Prior to this update, the rtas_errd daemon was not started by default on
system boot. With this update, rtas_errd has been modified to start
automatically by default. (BZ#1170146)
* Previously, the /var/log/dump file was not automatically created when
installing the ppc64-diag package. This bug has been fixed, and
/var/log/dump is now created at package install time as expected.
(BZ#1175808)
In addition, this update adds the following enhancement:
* This update adds support for building the ppc64-diag packages on the
little-endian variant of IBM Power Systems platform architecture. (BZ#1124007)
Users of ppc64-diag are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4038">CVE-2014-4038</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4039">CVE-2014-4039</cve>
<bugzilla href="https://bugzilla.redhat.com/1109371" id="1109371">CVE-2014-4038 CVE-2014-4039 ppc64-diag: multiple temporary file races</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="ppc64-diag is earlier than 0:2.6.7-6.el7" test_ref="oval:com.redhat.rhsa:tst:20150383005"/>
<criterion comment="ppc64-diag is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150383006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150384" version="601">
<metadata>
<title>RHSA-2015:0384: powerpc-utils security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0384-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0384.html" source="RHSA"/>
<reference ref_id="CVE-2014-4040" ref_url="https://access.redhat.com/security/cve/CVE-2014-4040" source="CVE"/>
<description>The powerpc-utils packages provide various utilities for the PowerPC platform.
A flaw was found in the way the snap utility of powerpc-utils generated an archive containing a configuration snapshot of a service. A local attacker could obtain sensitive information from the generated archive such as plain text passwords. (CVE-2014-4040)
The powerpc-utils packages have been upgraded to the upstream version 1.2.24, which provides a number of bug fixes and enhancements over the previous version. (BZ#1088539, BZ#1167865, BZ#1161552)
This update also fixes the following bugs:
* Previously, the lsdevinfo command did not correctly process the path to the device, which made the path unreadable in the console output of lsdevinfo. With this update, lsdevinfo has been updated and the path is now displayed correctly. (BZ#1079246)
* Previously, after migrating several Linux partitions, Resource Monitoring and Control (RMC) was inactive and Machine Type, Model, and Serial number (MTMS) were set incorrectly, so the subsequent validation operation failed. This bug has been fixed, and validation is now successful after migration and suspend. (BZ#1083221)
* Previously, when the drmgr tool attempted to remove the last CPU from the system, drmgr became unresponsive or terminated unexpectedly. This bug has been fixed, and drmgr no longer hangs or crashes in the described case. (BZ#1152313)
* With this update, the drmgr utility has been fixed to correctly gather Logical Memory Block (LMB) information while performing Mem Dynamic Logical Partitioning (DLPAR) on little-endian varian of IBM Power Systems CPU architecture as expected (BZ#1170856).
* Previously, the "ppc64_cpu --threads-per-core" command returned incorrect data with the --smt option enabled. This bug has been fixed and "ppc64_cpu --threads-per-core" now reports correctly with enabled --smt. (BZ#1179263)
In addition, this update adds the following enhancements:
* This update adds support for the Red Hat Enterprise Linux for POWER, little endian CPU architecture to the powerpc-utils package. (BZ#1124006)
* This update adds support for hot plugging of the qemu virtio device with the drmgr command to the powerpc-utils package.(BZ#1083791)
* The deprecated snap tool has been removed from the powerpc-utils packages. Its functionality has been integrated into the sosreport tool. (BZ#1172087)
* With this update, a dependency on the perl-Data-Dumper package required by the rtas_dump utility has been added to powerpc-utils packages. (BZ#1175812)
Users of powerpc-utils are advised to upgrade to these updated packages, which correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4040">CVE-2014-4040</cve>
<bugzilla href="https://bugzilla.redhat.com/1110520" id="1110520">CVE-2014-4040 powerpc-utils: snap creates archives with fstab and yaboot.conf which may expose certain passwords</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="powerpc-utils is earlier than 0:1.2.24-7.el7" test_ref="oval:com.redhat.rhsa:tst:20150384005"/>
<criterion comment="powerpc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150384006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150416" version="601">
<metadata>
<title>RHSA-2015:0416: 389-ds-base security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0416-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0416.html" source="RHSA"/>
<reference ref_id="CVE-2014-8105" ref_url="https://access.redhat.com/security/cve/CVE-2014-8105" source="CVE"/>
<reference ref_id="CVE-2014-8112" ref_url="https://access.redhat.com/security/cve/CVE-2014-8112" source="CVE"/>
<description>The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.
An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords.
(CVE-2014-8105)
It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. (CVE-2014-8112)
The CVE-2014-8105 issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team, and the CVE-2014-8112 issue was discovered by Ludwig Krispenz of the Red Hat Identity Management Engineering Team.
Enhancements:
* Added new WinSync configuration parameters: winSyncSubtreePair for synchronizing multiple subtrees, as well as winSyncWindowsFilter and winSyncDirectoryFilter for synchronizing restricted sets by filters. (BZ#746646)
* It is now possible to stop, start, or configure plug-ins without the need to restart the server for the change to take effect. (BZ#994690)
* Access control related to the MODDN and MODRDN operations has been updated: the source and destination targets can be specified in the same access control instruction. (BZ#1118014)
* The nsDS5ReplicaBindDNGroup attribute for using a group distinguished name in binding to replicas has been added. (BZ#1052754)
* WinSync now supports range retrieval. If more than the MaxValRange number of attribute values exist per attribute, WinSync synchronizes all the attributes to the directory server using the range retrieval. (BZ#1044149)
* Support for the RFC 4527 Read Entry Controls and RFC 4533 Content Synchronization Operation LDAP standards has been added. (BZ#1044139, BZ#1044159)
* The Referential Integrity (referint) plug-in can now use an alternate configuration area. The PlugInArg plug-in configuration now uses unique configuration attributes. Configuration changes no longer require a server restart. (BZ#1044203)
* The logconv.pl log analysis tool now supports gzip, bzip2, and xz compressed files and also TAR archives and compressed TAR archives of these files. (BZ#1044188)
* Only the Directory Manager could add encoded passwords or force users to change their password after a reset. Users defined in the passwordAdminDN attribute can now also do this. (BZ#1118007)
* The "nsslapd-memberofScope" configuration parameter has been added to the MemberOf plug-in. With MemberOf enabled and a scope defined, moving a group out of scope with a MODRDN operation failed. Moving a member entry out of scope now correctly removes the memberof value. (BZ#1044170)
* The alwaysRecordLoginAttr attribute has been addded to the Account Policy plug-in configuration entry, which allows to distinguish between an attribute for checking the activity of an account and an attribute to be updated at successful login. (BZ#1060032)
* A root DSE search, using the ldapsearch command with the '-s base -b ""' options, returns only the user attributes instead of the operational attributes. The "nsslapd-return-default" option has been added for backward compatibility. (BZ#1118021)
* The configuration of the MemberOf plug-in can be stored in a suffix mapped to a back-end database, which allows MemberOf configuration to be replicated. (BZ#1044205)
* Added support for the SSL versions from the range supported by the NSS library available on the system. Due to the POODLE vulnerability, SSLv3 is disabled by default even if NSS supports it. (BZ#1044191)</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8105">CVE-2014-8105</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8112">CVE-2014-8112</cve>
<bugzilla href="https://bugzilla.redhat.com/881372" id="881372">nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/920597" id="920597">Possible to add invalid ACI value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/921162" id="921162">Possible to add nonexistent target to ACI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/923799" id="923799">if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/924937" id="924937">Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/951754" id="951754">Self entry access ACI not working properly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/975176" id="975176">Non-directory manager can change the individual userPassword's storage scheme</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/982597" id="982597">Some attributes in cn=config should not be multivalued</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/994690" id="994690">[RFE] Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1012991" id="1012991">errorlog-level 16384 is listed as 0 in cn=config</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1013736" id="1013736">Enabling/Disabling DNA plug-in throws "ldap_modify: Server Unwilling to Perform (53)" error</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1014380" id="1014380">setup-ds.pl doesn't lookup the "root" group correctly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1024541" id="1024541">start dirsrv after ntpd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1029959" id="1029959">Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1031216" id="1031216">add dbmon.sh</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044133" id="1044133">Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044134" id="1044134">[RFE] should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044135" id="1044135">[RFE] make connection buffer size adjustable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044137" id="1044137">[RFE] posix winsync should support ADD user/group entries from DS to AD</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044138" id="1044138">mep_pre_op: Unable to fetch origin entry</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044139" id="1044139">[RFE] Support RFC 4527 Read Entry Controls</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044140" id="1044140">Allow search to look up 'in memory RUV'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044141" id="1044141">MMR stress test with dna enabled causes a deadlock</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044142" id="1044142">winsync doesn't sync DN valued attributes if DS DN value doesn't exist</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044143" id="1044143">modrdn + NSMMReplicationPlugin - Consumer failed to replay change</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044144" id="1044144">resurrected entry is not correctly indexed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044146" id="1044146">Add a warning message when a connection hits the max number of threads</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044147" id="1044147">7-bit check plugin does not work for userpassword attribute</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044148" id="1044148">The backend name provided to bak2db is not validated</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044149" id="1044149">[RFE] Winsync should support range retrieval</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044150" id="1044150">7-bit checking is not necessary for userPassword</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044151" id="1044151">With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044152" id="1044152">ChainOnUpdate: "cn=directory manager" can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044153" id="1044153">mods optimizer</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044154" id="1044154">multi master replication allows schema violation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044156" id="1044156">DS crashes with some 7-bit check plugin configurations</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044157" id="1044157">Some updates of "passwordgraceusertime" are useless when updating "userpassword"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044159" id="1044159">[RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044160" id="1044160">remove-ds.pl should remove /var/lock/dirsrv</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044162" id="1044162">enhance retro changelog</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044163" id="1044163">updates to ruv entry are written to retro changelog</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044164" id="1044164">Password administrators should be able to violate password policy</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044168" id="1044168">Schema replication between DS versions may overwrite newer base schema</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044169" id="1044169">[RFE] ACIs do not allow attribute subtypes in targetattr keyword</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044170" id="1044170">[RFE] Allow memberOf suffixes to be configurable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044171" id="1044171">[RFE] Allow referential integrity suffixes to be configurable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044172" id="1044172">Plugin library path validation prevents intentional loading of out-of-tree modules</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044173" id="1044173">[RFE] make referential integrity configuration more flexible</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044177" id="1044177">allow configuring changelog trim interval</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044179" id="1044179">objectclass may, must lists skip rest of objectclass once first is found in sup</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044180" id="1044180">memberOf on a user is converted to lowercase</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044181" id="1044181">report unindexed internal searches</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044183" id="1044183">With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044185" id="1044185">dbscan on entryrdn should show all matching values</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044187" id="1044187">[RFE] logconv.pl - add on option for a minimum etime for unindexed search stats</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044188" id="1044188">[RFE] Recognize compressed log files</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044191" id="1044191">[RFE] support TLSv1.1 and TLSv1.2, if supported by NSS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044193" id="1044193">default nsslapd-sasl-max-buffer-size should be 2MB</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044194" id="1044194">Complex filter in a search request doen't work as expected.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044196" id="1044196">Automember plug-in should treat MODRDN operations as ADD operations</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044198" id="1044198">Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044202" id="1044202">db2bak.pl issue when specifying non-default directory</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044203" id="1044203">[RFE] Allow referint plugin to use an alternate config area</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044205" id="1044205">[RFE] Allow memberOf to use an alternate config area</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044210" id="1044210">idl switch does not work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044211" id="1044211">[RFE] make old-idl tunable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044212" id="1044212">IDL-style can become mismatched during partial restoration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044213" id="1044213">backend performance - introduce optimization levels</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044215" id="1044215">using transaction batchval violates durability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1044216" id="1044216">examine replication code to reduce amount of stored state information</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1048980" id="1048980">7-bit check plugin not checking MODRDN operation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1049030" id="1049030">Windows Sync group issues</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1052751" id="1052751">Page control does not work if effective rights control is specified</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1052754" id="1052754">[RFE] Allow nsDS5ReplicaBindDN to be a group DN</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1057803" id="1057803">logconv errors when search has invalid bind dn</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1061060" id="1061060">betxn: retro changelog broken after cancelled transaction</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1063990" id="1063990">single valued attribute replicated ADD does not work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1064006" id="1064006">Size returned by slapi_entry_size is not accurate</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1064986" id="1064986">Replication retry time attributes cannot be added</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1067090" id="1067090">Missing warning for invalid replica backoff configuration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1072032" id="1072032">Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1074306" id="1074306">Under heavy stress, failure of turning a tombstone into glue makes the server hung</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1074447" id="1074447">Part of DNA shared configuration is deleted after server restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076729" id="1076729">Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1077884" id="1077884">ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1077897" id="1077897">Memory leak with proxy auth control</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1079099" id="1079099">Simultaneous adding a user and binding as the user could fail in the password policy check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1080186" id="1080186">Creating a glue fails if one above level is a conflict or missing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1082967" id="1082967">attribute uniqueness plugin fails when set as a chaining component</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086890" id="1086890">empty modify returns LDAP_INVALID_DN_SYNTAX</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086902" id="1086902">mem leak in do_bind when there is an error</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086904" id="1086904">mem leak in do_search - rawbase not freed upon certain errors</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086908" id="1086908">Performing deletes during tombstone purging results in operation errors</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1090178" id="1090178">#481 breaks possibility to reassemble memberuid list</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1092099" id="1092099">A replicated MOD fails (Unwilling to perform) if it targets a tombstone</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1092342" id="1092342">nsslapd-ndn-cache-max-size accepts any invalid value.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1092648" id="1092648">Negative value of nsSaslMapPriority is not reset to lowest priority</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097004" id="1097004">Problem with deletion while replicated</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098654" id="1098654">db2bak.pl error with changelogdb</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1099654" id="1099654">Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108298" id="1108298">Rebase 389-ds-base to 1.3.3</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108405" id="1108405">find a way to remove replication plugin errors messages "changelog iteration code returned a dummy entry with csn %s, skipping ..."</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108407" id="1108407">managed entry plugin fails to update managed entry pointer on modrdn operation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108872" id="1108872">Logconv.pl with an empty access log gives lots of errors</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108874" id="1108874">logconv.pl memory continually grows</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108881" id="1108881">rsearch filter error on any search filter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108895" id="1108895">[RFE] CLI report to monitor replication</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108902" id="1108902">rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ?</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108909" id="1108909">single valued attribute replicated ADD does not work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109334" id="1109334">389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109336" id="1109336">Parent numsubordinate count can be incorrectly updated if an error occurs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109339" id="1109339">Nested tombstones become orphaned after purge</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109354" id="1109354">Tombstone purging can crash the server if the backend is stopped/disabled</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109357" id="1109357">Coverity issue in 1.3.3</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109364" id="1109364">valgrind - value mem leaks, uninit mem usage</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109375" id="1109375">provide default syntax plugin</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109378" id="1109378">Environment variables are not passed when DS is started via service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1111364" id="1111364">Updating winsync one-way sync does not affect the behaviour dynamically</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112824" id="1112824">Broken dereference control with the FreeIPA 4.0 ACIs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113605" id="1113605">server restart wipes out index config if there is a default index</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1115177" id="1115177">attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117021" id="1117021">Server deadlock if online import started while server is under load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117975" id="1117975">paged results control is not working in some cases when we have a subsuffix.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117979" id="1117979">harden the list of ciphers available by default</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117981" id="1117981">Fix various typos in manpages & code</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1117982" id="1117982">Fix hyphens used as minus signed and other manpage mistakes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118002" id="1118002">server crashes deleting a replication agreement</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118006" id="1118006">[RFE] forcing passwordmustchange attribute by non-cn=directory manager</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118007" id="1118007">[RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118014" id="1118014">[RFE] Enhance ACIs to have more control over MODRDN operations</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118021" id="1118021">[RFE] Don't return all attributes in rootdse without explicit request</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118032" id="1118032">Schema Replication Issue</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118043" id="1118043">Failed deletion of aci: no such attribute</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118048" id="1118048">If be_txn plugin fails in ldbm_back_add, adding entry is double freed.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118051" id="1118051">Add switch to disable pre-hashed password checking</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118054" id="1118054">Make ldbm_back_seq independently support transactions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118055" id="1118055">Add operations rejected by betxn plugins remain in cache</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118057" id="1118057">online import crashes server if using verbose error logging</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118059" id="1118059">[RFE] add fixup-memberuid.pl script</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118060" id="1118060">winsync plugin modify is broken</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118066" id="1118066">[RFE] memberof scope: allow to exclude subtrees</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118069" id="1118069">389-ds production segfault: __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118074" id="1118074">ds logs many "SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error" messages</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118076" id="1118076">ds logs many "Operation error fetching Null DN" messages</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118077" id="1118077">Improve import logging and abort handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118079" id="1118079">Multi master replication initialization incomplete after restore of one master</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118080" id="1118080">Don't add unhashed password mod if we don't have an unhashed value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118081" id="1118081">Investigate betxn plugins to ensure they return the correct error code</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118082" id="1118082">The error result text message should be obtained just prior to sending result</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1139882" id="1139882">coverity defects found in 1.3.3.x</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1140888" id="1140888">Broken dereference control with the FreeIPA 4.0 ACIs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1145846" id="1145846">389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server: "Cipher suite fortezza is not available in NSS 3.17" , "Cannot communicate securely with peer: no common encryption algorithm(s)."</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150206" id="1150206">result of dna_dn_is_shared_config is incorrectly used</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150694" id="1150694">Encoding of SearchResultEntry is missing tag</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1150695" id="1150695">ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151287" id="1151287">dynamically added macro aci is not evaluated on the fly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153737" id="1153737">Disable SSL v3, by default.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1156607" id="1156607">Crash in entry_add_present_values_wsi_multi_valued</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162997" id="1162997">Directory Server crashes while trying to perform export task for automember plugin with dynamic plugin on.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163461" id="1163461">Should not check aci syntax when deleting an aci</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166252" id="1166252">RHEL7.1 ns-slapd segfault when ipa-replica-install restarts dirsrv</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166260" id="1166260">cookie_change_info returns random negative number if there was no change in a tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167858" id="1167858">CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170707" id="1170707">cos_cache_build_definition_list does not stop during server shutdown</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170708" id="1170708">COS memory leak when rebuilding the cache</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170709" id="1170709">Account lockout attributes incorrectly updated after failed SASL Bind</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1171355" id="1171355">start dirsrv after chrony</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1171356" id="1171356">Bind DN tracking unable to write to internalModifiersName without special permissions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172597" id="1172597">Server crashes when memberOf plugin is partially configured</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172729" id="1172729">CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1173273" id="1173273">[RFE] BDB backend - clear free page files to reduce main db and changelog db size</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180325" id="1180325">RHEL 7.1 ipa-server-4.1.0 upgrade fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182477" id="1182477">User enable/disable does not sync with ipawinsyncacctdisable set to both</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183655" id="1183655">IPA replica missing data after master upgraded</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="389-ds-base is earlier than 0:1.3.3.1-13.el7" test_ref="oval:com.redhat.rhsa:tst:20150416005"/>
<criterion comment="389-ds-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031006"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-devel is earlier than 0:1.3.3.1-13.el7" test_ref="oval:com.redhat.rhsa:tst:20150416009"/>
<criterion comment="389-ds-base-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031010"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-libs is earlier than 0:1.3.3.1-13.el7" test_ref="oval:com.redhat.rhsa:tst:20150416007"/>
<criterion comment="389-ds-base-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150425" version="603">
<metadata>
<title>RHSA-2015:0425: openssh security, bug fix and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0425-02" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0425.html" source="RHSA"/>
<reference ref_id="CVE-2014-2653" ref_url="https://access.redhat.com/security/cve/CVE-2014-2653" source="CVE"/>
<reference ref_id="CVE-2014-9278" ref_url="https://access.redhat.com/security/cve/CVE-2014-9278" source="CVE"/>
<description>OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record. (CVE-2014-2653)
It was found that when OpenSSH was used in a Kerberos environment, remote authenticated users were allowed to log in as a different user if they were listed in the ~/.k5users file of that user, potentially bypassing intended authentication restrictions. (CVE-2014-9278)
The openssh packages have been upgraded to upstream version 6.6.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#1059667)
Bug fixes:
* An existing /dev/log socket is needed when logging using the syslog utility, which is not possible for all chroot environments based on the user's home directories. As a consequence, the sftp commands were not logged in the chroot setup without /dev/log in the internal sftp subsystem. With this update, openssh has been enhanced to detect whether /dev/log exists. If /dev/log does not exist, processes in the chroot environment use their master processes for logging. (BZ#1083482)
* The buffer size for a host name was limited to 64 bytes. As a consequence, when a host name was 64 bytes long or longer, the ssh-keygen utility failed. The buffer size has been increased to fix this bug, and ssh-keygen no longer fails in the described situation. (BZ#1097665)
* Non-ASCII characters have been replaced by their octal representations in banner messages in order to prevent terminal re-programming attacks. Consequently, banners containing UTF-8 strings were not correctly displayed in a client. With this update, banner messages are processed according to RFC 3454, control characters have been removed, and banners containing UTF-8 strings are now displayed correctly. (BZ#1104662)
* Red Hat Enterprise Linux uses persistent Kerberos credential caches, which are shared between sessions. Previously, the GSSAPICleanupCredentials option was set to "yes" by default. Consequently, removing a Kerberos cache on logout could remove unrelated credentials of other sessions, which could make the system unusable. To fix this bug, GSSAPICleanupCredentials is set by default to "no". (BZ#1134447)
* Access permissions for the /etc/ssh/moduli file were set to 0600, which was unnecessarily strict. With this update, the permissions for /etc/ssh/moduli have been changed to 0644 to make the access to the file easier. (BZ#1134448)
* Due to the KRB5CCNAME variable being truncated, the Kerberos ticket cache was not found after login using a Kerberos-enabled SSH connection. The underlying source code has been modified to fix this bug, and Kerberos authentication works as expected in the described situation. (BZ#1161173)
Enhancements:
* When the sshd daemon is configured to force the internal SFTP session, a connection other then SFTP is used, the appropriate message is logged to the /var/log/secure file. (BZ#1130198)
* The sshd-keygen service was run using the "ExecStartPre=-/usr/sbin/sshd-keygen" option in the sshd.service unit file. With this update, the separate sshd-keygen.service unit file has been added, and sshd.service has been adjusted to require sshd-keygen.service. (BZ#1134997)
Users of openssh are advised to upgrade to these updated packages, which correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-2653">CVE-2014-2653</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9278">CVE-2014-9278</cve>
<bugzilla href="https://bugzilla.redhat.com/912792" id="912792">ssh client showing Connection closed by UNKNOWN after timeout at password prompt</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1071967" id="1071967">Inconsistent error message when generating keys in FIPS mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1081338" id="1081338">CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1084079" id="1084079">sftp / symlink does not create relative links</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1097665" id="1097665">ssh-keygen with error : gethostname: File name too long</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102288" id="1102288">AuthorizedKeysCommand does not work under the Match section</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134997" id="1134997">sshd.service shouldn't call /usr/sbin/sshd-keygen directly using ExecStartPre</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1143867" id="1143867">sshd fails to start in FIPS mode due to ED25519 key generation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153011" id="1153011">sshd requires that .k5login exists even if krb5_kuserok() returns TRUE</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155626" id="1155626">KerberosUseKuserok default changed from "yes" to "no"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161173" id="1161173">sshd sets KRB5CCNAME environment variable with a truncated value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162620" id="1162620">fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169843" id="1169843">CVE-2014-9278 openssh: ~/.k5users unexpectedly grants remote login</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssh is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425005"/>
<criterion comment="openssh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-askpass is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425013"/>
<criterion comment="openssh-askpass is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-clients is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425017"/>
<criterion comment="openssh-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425018"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-keycat is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425011"/>
<criterion comment="openssh-keycat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425012"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-ldap is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425007"/>
<criterion comment="openssh-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-server is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425009"/>
<criterion comment="openssh-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-server-sysvinit is earlier than 0:6.6.1p1-11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425015"/>
<criterion comment="openssh-server-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425016"/>
</criteria>
<criteria operator="AND">
<criterion comment="pam_ssh_agent_auth is earlier than 0:0.9.3-9.11.el7" test_ref="oval:com.redhat.rhsa:tst:20150425019"/>
<criterion comment="pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150430" version="601">
<metadata>
<title>RHSA-2015:0430: virt-who security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0430-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0430.html" source="RHSA"/>
<reference ref_id="CVE-2014-0189" ref_url="https://access.redhat.com/security/cve/CVE-2014-0189" source="CVE"/>
<description>The virt-who package provides an agent that collects information about
virtual guests present in the system and reports them to the
subscription manager.
It was discovered that the /etc/sysconfig/virt-who configuration file,
which may contain hypervisor authentication credentials, was
world-readable. A local user could use this flaw to obtain authentication
credentials from this file. (CVE-2014-0189)
Red Hat would like to thank Sal Castiglione for reporting this issue.
The virt-who package has been upgraded to upstream version 0.11, which
provides a number of bug fixes and enhancements over the previous version.
The most notable bug fixes and enhancements include:
* Support for remote libvirt.
* A fix for using encrypted passwords.
* Bug fixes and enhancements that increase the stability of virt-who.
(BZ#1122489)
This update also fixes the following bugs:
* Prior to this update, the virt-who agent failed to read the list of
virtual guests provided by the VDSM daemon. As a consequence, when in VDSM
mode, the virt-who agent was not able to send updates about virtual guests
to Subscription Asset Manager (SAM) and Red Hat Satellite. With this
update, the agent reads the list of guests when in VDSM mode correctly and
reports to SAM and Satellite as expected. (BZ#1153405)
* Previously, virt-who used incorrect information when connecting to Red
Hat Satellite 5. Consequently, virt-who could not connect to Red Hat
Satellite 5 servers. The incorrect parameter has been corrected, and
virt-who can now successfully connect to Red Hat Satellite 5. (BZ#1158859)
* Prior to this update, virt-who did not decode the hexadecimal
representation of a password before decrypting it. As a consequence, the
decrypted password did not match the original password, and attempts to
connect using the password failed. virt-who has been updated to decode the
encrypted password and, as a result, virt-who now handles storing
credentials using encrypted passwords as expected. (BZ#1161607)
In addition, this update adds the following enhancement:
* With this update, virt-who is able to read the list of guests from a
remote libvirt hypervisor. (BZ#1127965)
Users of virt-who are advised to upgrade to this updated package, which
corrects these issues and adds these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0189">CVE-2014-0189</cve>
<bugzilla href="https://bugzilla.redhat.com/1065421" id="1065421">Remove dependency on 'libvirt' RPM</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076290" id="1076290">virt-who creat a null system in SAM server in esx mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1082981" id="1082981">Faild to add Hyper-V 2012 to SAM as virt-who communication with Hyper-V failed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1086517" id="1086517">virt-who failed when testing against Satellite 5.6 due to missing folder /var/lib/virt-who in RHEL 7</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1088732" id="1088732">CVE-2014-0189 virt-who: plaintext hypervisor passwords in world-readable /etc/sysconfig/virt-who configuration file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098448" id="1098448">virt-who dies when the system is being unregistered</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122489" id="1122489">virt-who rebase</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127965" id="1127965">[RFE] Please add libvirt parameter for using Red Hat Enterprise Linux for Virtual Datacenter in kvm environments.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153405" id="1153405">virt-who can't work in the VDSM mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158759" id="1158759">Wrong permission for configuration file /etc/sysconfig/virt-who on rhel7.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158803" id="1158803">Can't display the running mode in the virt-who log</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158859" id="1158859">virt-who uses wrong server when connecting to satellite</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159187" id="1159187">"/etc/virt-who.d" hasn't been created by default.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161434" id="1161434">Take over one minute to stop/restart virt-who service in ESX mode.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161607" id="1161607">virt-who not able to decrypt encrypted password</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162049" id="1162049">syslog.target depenancy</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163021" id="1163021">Failed to send host/guest associate to SAM when virt-who run at esx mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168111" id="1168111">[VDSM mode]Failed to send host/guest associate to SAM when there is a vm in the host</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168122" id="1168122">virt-who incorrectly says that VM is from 'None' hypervisor</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="virt-who is earlier than 0:0.11-5.el7" test_ref="oval:com.redhat.rhsa:tst:20150430005"/>
<criterion comment="virt-who is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150430006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150439" version="601">
<metadata>
<title>RHSA-2015:0439: krb5 security, bug fix and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0439-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0439.html" source="RHSA"/>
<reference ref_id="CVE-2014-4341" ref_url="https://access.redhat.com/security/cve/CVE-2014-4341" source="CVE"/>
<reference ref_id="CVE-2014-4342" ref_url="https://access.redhat.com/security/cve/CVE-2014-4342" source="CVE"/>
<reference ref_id="CVE-2014-4343" ref_url="https://access.redhat.com/security/cve/CVE-2014-4343" source="CVE"/>
<reference ref_id="CVE-2014-4344" ref_url="https://access.redhat.com/security/cve/CVE-2014-4344" source="CVE"/>
<reference ref_id="CVE-2014-4345" ref_url="https://access.redhat.com/security/cve/CVE-2014-4345" source="CVE"/>
<reference ref_id="CVE-2014-5352" ref_url="https://access.redhat.com/security/cve/CVE-2014-5352" source="CVE"/>
<reference ref_id="CVE-2014-5353" ref_url="https://access.redhat.com/security/cve/CVE-2014-5353" source="CVE"/>
<reference ref_id="CVE-2014-9421" ref_url="https://access.redhat.com/security/cve/CVE-2014-9421" source="CVE"/>
<reference ref_id="CVE-2014-9422" ref_url="https://access.redhat.com/security/cve/CVE-2014-9422" source="CVE"/>
<reference ref_id="CVE-2014-9423" ref_url="https://access.redhat.com/security/cve/CVE-2014-9423" source="CVE"/>
<description>A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)
A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) call the gss_process_context_token() function could use this flaw to crash that application. (CVE-2014-5352)
If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker with the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353)
A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)
It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application. (CVE-2014-9423)
Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342)
A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)
Red Hat would like to thank the MIT Kerberos project for reporting the CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT Kerberos project acknowledges Nico Williams for helping with the analysis of CVE-2014-5352.
The krb5 packages have been upgraded to upstream version 1.12, which provides a number of bug fixes and enhancements, including:
* Added plug-in interfaces for principal-to-username mapping and verifying authorization to user accounts.
* When communicating with a KDC over a connected TCP or HTTPS socket, the client gives the KDC more time to reply before it transmits the request to another server. (BZ#1049709, BZ#1127995)
This update also fixes multiple bugs, for example:
* The Kerberos client library did not recognize certain exit statuses that the resolver libraries could return when looking up the addresses of servers configured in the /etc/krb5.conf file or locating Kerberos servers using DNS service location. The library could treat non-fatal return codes as fatal errors. Now, the library interprets the specific return codes correctly. (BZ#1084068, BZ#1109102)
In addition, this update adds various enhancements. Among others:
* Added support for contacting KDCs and kpasswd servers through HTTPS proxies implementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4341">CVE-2014-4341</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4342">CVE-2014-4342</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4343">CVE-2014-4343</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4344">CVE-2014-4344</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4345">CVE-2014-4345</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5352">CVE-2014-5352</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5353">CVE-2014-5353</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9421">CVE-2014-9421</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9422">CVE-2014-9422</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9423">CVE-2014-9423</cve>
<bugzilla href="https://bugzilla.redhat.com/1084068" id="1084068">ipv6 address handling in krb5.conf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1102837" id="1102837">Please backport improved GSSAPI mech configuration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109102" id="1109102">Kerberos does not handle incorrect Active Directory DNS SRV entries correctly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109919" id="1109919">Backport https support into libkrb5</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1116180" id="1116180">CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1118347" id="1118347">ksu non-functional, gets invalid argument copying cred cache</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1120581" id="1120581">CVE-2014-4342 krb5: denial of service flaws when handling RFC 1964 tokens</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121789" id="1121789">CVE-2014-4343: use-after-free crash in SPNEGO</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121876" id="1121876">CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1121877" id="1121877">CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1127995" id="1127995">aggressive kinit timeout causes AS_REQ resent and subsequent OTP auth failure</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1128157" id="1128157">CVE-2014-4345 krb5: buffer overrun in kadmind with LDAP backend (MITKRB5-SA-2014-001)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166012" id="1166012">libkadmclnt SONAME change (8 to 9) in krb5 1.12 update</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174543" id="1174543">CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179856" id="1179856">CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179857" id="1179857">CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179861" id="1179861">CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179863" id="1179863">CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184629" id="1184629">kinit loops on principals on unknown error</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="krb5 is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439005"/>
<criterion comment="krb5 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439006"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-devel is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439009"/>
<criterion comment="krb5-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439010"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-libs is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439017"/>
<criterion comment="krb5-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439018"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-pkinit is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439007"/>
<criterion comment="krb5-pkinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439008"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-server is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439011"/>
<criterion comment="krb5-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439012"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-server-ldap is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439015"/>
<criterion comment="krb5-server-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439016"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-workstation is earlier than 0:1.12.2-14.el7" test_ref="oval:com.redhat.rhsa:tst:20150439013"/>
<criterion comment="krb5-workstation is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150442" version="601">
<metadata>
<title>RHSA-2015:0442: ipa security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0442-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0442.html" source="RHSA"/>
<reference ref_id="CVE-2010-5312" ref_url="https://access.redhat.com/security/cve/CVE-2010-5312" source="CVE"/>
<reference ref_id="CVE-2012-6662" ref_url="https://access.redhat.com/security/cve/CVE-2012-6662" source="CVE"/>
<description>Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.
Two cross-site scripting (XSS) flaws were found in jQuery, which impacted the Identity Management web administrative interface, and could allow an authenticated user to inject arbitrary HTML or web script into the interface. (CVE-2010-5312, CVE-2012-6662)
Note: The IdM version provided by this update no longer uses jQuery.
This update adds several enhancements that are described in more detail in the Red Hat Enterprise Linux 7.1 Release Notes, linked to in the References section, including:
* Added the "ipa-cacert-manage" command, which renews the Certification Authority (CA) file. (BZ#886645)
* Added the ID Views feature. (BZ#891984)
* IdM now supports using one-time password (OTP) authentication and allows gradual migration from proprietary OTP solutions to the IdM OTP solution. (BZ#919228)
* Added the "ipa-backup" and "ipa-restore" commands to allow manual backups. (BZ#951581)
* Added a solution for regulating access permissions to specific sections of the IdM server. (BZ#976382)
This update also fixes several bugs, including:
* Previously, when IdM servers were configured to require the Transport Layer Security protocol version 1.1 (TLSv1.1) or later in the httpd server, the "ipa" command-line utility failed. With this update, running "ipa" works as expected with TLSv1.1 or later. (BZ#1156466)
In addition, this update adds multiple enhancements, including:
* The "ipa-getkeytab" utility can now optionally fetch existing keytabs from the KDC. Previously, retrieving an existing keytab was not supported, as the only option was to generate a new key. (BZ#1007367)
* You can now create and manage a "." root zone on IdM servers. DNS queries sent to the IdM DNS server use this configured zone instead of the public zone. (BZ#1056202)
* The IdM server web UI has been updated and is now based on the Patternfly framework, offering better responsiveness. (BZ#1108212)
* A new user attribute now enables provisioning systems to add custom tags for user objects. The tags can be used for automember rules or for additional local interpretation. (BZ#1108229)
* This update adds a new DNS zone type to ensure that forward and master zones are better separated. As a result, the IdM DNS interface complies with the forward zone semantics in BIND. (BZ#1114013)
* This update adds a set of Apache modules that external applications can use to achieve tighter interaction with IdM beyond simple authentication. (BZ#1107555)
* IdM supports configuring automember rules for automated assignment of users or hosts in respective groups according to their characteristics, such as the "userClass" or "departmentNumber" attributes. Previously, the rules could be applied only to new entries. This update allows applying the rules also to existing users or hosts. (BZ#1108226)
* The extdom plug-in translates Security Identifiers (SIDs) of Active Directory (AD) users and groups to names and POSIX IDs. With this update, extdom returns the full member list for groups and the full list of group memberships for a user, the GECOS field, the home directory, as well as the login shell of a user. Also, an optional list of key-value pairs contains the SID of the requested object if the SID is available. (BZ#1030699)
All ipa users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2010-5312">CVE-2010-5312</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2012-6662">CVE-2012-6662</cve>
<bugzilla href="https://bugzilla.redhat.com/711693" id="711693">[RFE] Normal users should not be given privileges to view all sudorules and their details.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/788645" id="788645">[RFE] Allow filter and subtree to be added in same permission</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/815828" id="815828">Rename DNS permissions to use mixed-case</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/817909" id="817909">error indicates a different reason when ipa permission-mod fails to modify attrs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/854335" id="854335">Unable to update "remove automount keys" - it has filter and subtree specified</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/887988" id="887988">[RFE] Expose the krbPrincipalExpiration attribute for editing in the IPA CLI / WEBUI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/891984" id="891984">[RFE] ID Views: Support migration from the sync solution to the trust solution</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/893850" id="893850">Unable to update permissions for "Add Automount Keys"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/921655" id="921655">fix UI CSS to support RH branding</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/922749" id="922749">IPA Navigation links overlaped or unclickable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/924008" id="924008">Unknown binary attributes can cause migration to fail</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/924395" id="924395">[RFE] ipa-client-install should configure sudo automatically</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/951581" id="951581">[RFE] Backup & Restore mechanism</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/970618" id="970618">[RFE] pac-type change must be effective immediately without kdc restart</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/971061" id="971061">Localization not working even for languages that are localized</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/975456" id="975456">[RFE] add option to ipa-client-install to configure automount</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/985234" id="985234">ipa-client-install --uninstall starts nscd service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1027712" id="1027712">"username" field in IPA webUI login page should be mandatory</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1027713" id="1027713">There is no version information on IPA WebUI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1030699" id="1030699">[RFE] Support initgroups for unauthenticated AD users</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1031111" id="1031111">ipa-client: add root CA to trust anchors if not already available</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033357" id="1033357">ipactl can not restart ipa services if current status is "stopped"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1035286" id="1035286">[WebUI] Realm domain is not providing proper error message</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1048934" id="1048934">[WebUI] Retry and Cancel dialogs do not support 'confirmation by Enter'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1048956" id="1048956">[WebUI] "OK" button is not focused on "Operations Error" dialog, once we opened "show details"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1056202" id="1056202">[RFE] Support DNS root zone</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1058780" id="1058780">Missing checks during ipa idrange-add</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1060349" id="1060349">IPA: Unable to add host when ipv6 address already exits</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1061772" id="1061772">[WebUI] Maximum serial number search accepts negative inputs and lists wrong search results.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1072502" id="1072502">running ipa-server-install --setup-dns results in a crash</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1075129" id="1075129">bogus time estimates shown for configuration of various component in replica installation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1077734" id="1077734">[WebUI] select all checkbox remains selected after operation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1080209" id="1080209">IPA server does not allow sudo host network filters</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1080532" id="1080532">ipa-client-install --uninstall crash on a freshly installed machine joined to IPA via reamd and anaconda</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1081626" id="1081626">When certmonger is still tracking cert in ipa, uninstall fails but error does not indicate this</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1084609" id="1084609">[RFE] RHEL7 support for ipa-admintools on other architectures</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1099811" id="1099811">Apache crashes when replica is restarted when installing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1107555" id="1107555">[RFE] Provide a stack of apache modules for any applications to consume</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108195" id="1108195">MOD command returns duplicate memberships</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108201" id="1108201">cannot create dns zone when name has consecutive dash characters</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108202" id="1108202">dnsrecord-* with absolute target gives error</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108203" id="1108203">[RFE] Add EmployeeID in the Web UI and command name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108204" id="1108204">PTR record cannot be added from UI, if user added zone without last '.'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108205" id="1108205">Replica installation dies if /etc/resolv.conf is not writeable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108206" id="1108206">sshd should run at least once before ipa-client-install</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108207" id="1108207">[WebUI] When adding a condition to an automember rule, expression field should be required</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108208" id="1108208">The Synchronizing time with KDC... message looks strange between login and password prompts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108212" id="1108212">[RFE] Adopt Patternfly/RCUE open interface project for the Web UI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108213" id="1108213">Installers should explicitly specify auth mechanism when calling ldapmodify</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108214" id="1108214">ipa-replica-install: DNS check is between "host already exists" message and exit</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108215" id="1108215">Make Read replication agreements permission less more targeted</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108216" id="1108216">Unexpected error when providing incorrect password to ipa-ldap-updater</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108220" id="1108220">Broken Firefox configuration files in freeipa-client package</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108222" id="1108222">SSH widget doesn't honor a lack of write right</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108224" id="1108224">Replace ntpdate calls with ntpd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108225" id="1108225">ipadb.so could get tripped up by DAL changes to support keyless principals</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108226" id="1108226">[RFE] Use automember for hosts after the host is added</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108228" id="1108228">Add UI for the new user and host userClass attribute</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108229" id="1108229">[RFE] Better integration with the external provisioning systems - users</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108230" id="1108230">Should not display ports to open when password is incorrect during ipa-client-install.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108231" id="1108231">ipa-join usage instructions are incorrect</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108232" id="1108232">[RFE] ipa migrate-ds should have an argument to specify cert to use for DS connection</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108233" id="1108233">[RFE] ipa dnsrecord-add should allow internationalized names</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108234" id="1108234">[WebUI] it is not clear which row a value belongs to</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108235" id="1108235">xmlrpc system commands do not work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108236" id="1108236">Name is blank in error message for duplicate automember rule</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108237" id="1108237">[RFE] Enhance input validation for filters in access control</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1109726" id="1109726">Rebase IPA to 4.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112603" id="1112603">Internal Error: `ipa sudorule-mod rule --order=`</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112605" id="1112605">[RFE] Add support for SubjectAltNames (SAN) to IPA service certificates</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112691" id="1112691">ipa-server-install break sshd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113918" id="1113918">Setting a sudo category to all doesn't check to see if rules already exist</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113919" id="1113919">Let deny commands be added to sudo rule with cmdcatetory=ALL</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113920" id="1113920">Sudo runasgroup entry not generated by the sudo compat tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1114013" id="1114013">[RFE] Separate master and forward DNS zones</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1115048" id="1115048">Description attribute should not be required</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1115616" id="1115616">[RFE] Allow unlocking user in Web UI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126989" id="1126989">ipa-client-install creates configuration file with deprecated values</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1128380" id="1128380">Failure when installing on dual stacked system with external ca</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1129558" id="1129558">Windows Server 2012 CA does not accept CSR generated by IdM External CA installation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1129730" id="1129730">CA-less installation fails when the CA cert has an empty subject</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131049" id="1131049">Update SSL ciphers configured in 389-ds-base</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131187" id="1131187">ipa-ldap-upgrade should restore Directory Server settings when upgrade fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1131877" id="1131877">Registering one IPA server with the browser removes entries for another</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1133966" id="1133966">ipa trust-add cmd should be interactive</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138773" id="1138773">Internal error received for blank password with --trust-secret</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138775" id="1138775">Password migration is broken</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138777" id="1138777">Renewal with no master CA</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138791" id="1138791">Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138792" id="1138792">Disable unsupported ID range types</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138795" id="1138795">DS returns limited RootDSE</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138798" id="1138798">Add support for bounce_url to /ipa/ui/reset_password.html</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1138803" id="1138803">Do not store host certificate in shared NSS database /etc/pki/nssdb</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142088" id="1142088">ipa-server-install searches CA under different hostname</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1142789" id="1142789">host-del command does not accept --continue</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147679" id="1147679">ipa man page incorrectly indicates how to add users</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1149124" id="1149124">group-add doesn't accept gid parameter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1156466" id="1156466">POODLE: force using safe ciphers (non-SSLv3) in IPA client and server</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159011" id="1159011">Trust setting not restored for CA cert with ipa-restore command</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159330" id="1159330">RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159816" id="1159816">ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160756" id="1160756">Investigate & fix Coverity defects in IPA DS/KDC plugins</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160758" id="1160758">Tests: host-del returns DatabaseError</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161128" id="1161128">Upgrade 3.3.5 to 4.1 failed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161129" id="1161129">ipactl stop should stop dirsrv last</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161131" id="1161131">Deadlock in schema compat plugin</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162340" id="1162340">ipa-server-install fails when restarting named</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163498" id="1163498">Renewing the CA signing certificate does not extend its validity period end</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163849" id="1163849">error message which is not understandable when IDNA2003 characters are present in --zonemgr (--zonemgr=Têko@redhat.com)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1164859" id="1164859">Traceback when adding zone with long name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1164896" id="1164896">RHEL7.1 IPA server httpd avc denials after upgrade</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166041" id="1166041">CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title option</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166064" id="1166064">CVE-2012-6662 jquery-ui: XSS vulnerability in default content in Tooltip widget</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166641" id="1166641">ipa-otp-lasttoken loads all user's tokens on every mod/del</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166931" id="1166931">RHEL7.1 ipa automatic CA cert renewal stuck in submitting state</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167196" id="1167196">schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167270" id="1167270">Tracebacks with latest build for --zonemgr cli option</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167964" id="1167964">RHEL7.1 ipa replica unable to replicate to rhel6 master</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168214" id="1168214">[WebUI] Not able to unprovisioning service in IPA 4.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168376" id="1168376">Clean up debug log for trust-add</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168916" id="1168916">Extend host-show to add the view attribute in set of default attributes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169591" id="1169591">RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169867" id="1169867">Winsync: Setup is broken due to incorrect import of certificate</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170003" id="1170003">RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170695" id="1170695">krb5kdc crash in ldap_pvt_search</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1171089" id="1171089">webui: increase notification duration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172578" id="1172578">CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172598" id="1172598">Access is not rejected for disabled domain</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1173207" id="1173207">IPA certs fail to autorenew simultaneouly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175277" id="1175277">Data replication not working as expected after data restore from full backup</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175287" id="1175287">No error message thrown on restore(full kind) on replica from full backup taken on master</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175326" id="1175326">ipa-restore proceed even IPA not configured</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175384" id="1175384">DNS zones are not migrated into forward zones if 4.0+ replica is added</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176034" id="1176034">More validation required on ipa-restore's options</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176995" id="1176995">IPA replica missing data after master upgraded</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1177133" id="1177133">When migrating warn user if compat is enabled</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1178128" id="1178128">IPA externally signed CA cert expiration warning missing from log</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181010" id="1181010">ipa-replica-manage list does not list synced domain</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181093" id="1181093">PassSync does not sync passwords due to missing ACIs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181767" id="1181767">ipa-upgradeconfig fails in CA-less installs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183279" id="1183279">ipa-replica-manage disconnect fails without password</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184149" id="1184149">DUA profile not available anonymously</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185410" id="1185410">idoverrideuser-add option --sshpubkey does not work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1186396" id="1186396">ipa-restore crashes if replica is unreachable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1186398" id="1186398">Wrong directories created on full restore</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187342" id="1187342">Login ignores global OTP enablement</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187540" id="1187540">Full set of objectclass not available post group detach.</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ipa is earlier than 0:4.1.0-18.el7" test_ref="oval:com.redhat.rhsa:tst:20150442005"/>
<criterion comment="ipa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-admintools is earlier than 0:4.1.0-18.el7" test_ref="oval:com.redhat.rhsa:tst:20150442011"/>
<criterion comment="ipa-admintools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442012"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-client is earlier than 0:4.1.0-18.el7" test_ref="oval:com.redhat.rhsa:tst:20150442009"/>
<criterion comment="ipa-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-python is earlier than 0:4.1.0-18.el7" test_ref="oval:com.redhat.rhsa:tst:20150442007"/>
<criterion comment="ipa-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442008"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-server is earlier than 0:4.1.0-18.el7" test_ref="oval:com.redhat.rhsa:tst:20150442013"/>
<criterion comment="ipa-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-server-trust-ad is earlier than 0:4.1.0-18.el7" test_ref="oval:com.redhat.rhsa:tst:20150442015"/>
<criterion comment="ipa-server-trust-ad is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150535" version="601">
<metadata>
<title>RHSA-2015:0535: GNOME Shell security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0535-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0535.html" source="RHSA"/>
<reference ref_id="CVE-2014-7300" ref_url="https://access.redhat.com/security/cve/CVE-2014-7300" source="CVE"/>
<description>GNOME Shell and the packages it depends upon provide the core user interface of the Red Hat Enterprise Linux desktop, including functions such as navigating between windows and launching applications.
It was found that the GNOME shell did not disable the Print Screen key when the screen was locked. This could allow an attacker with physical access to a system with a locked screen to crash the screen-locking application by creating a large amount of screenshots. (CVE-2014-7300)
This update also fixes the following bugs:
* The Timed Login feature, which automatically logs in a specified user after a specified period of time, stopped working after the first user of the GUI logged out. This has been fixed, and the specified user is always logged in if no one else logs in. (BZ#1043571)
* If two monitors were arranged vertically with the secondary monitor above the primary monitor, it was impossible to move windows onto the secondary monitor. With this update, windows can be moved through the upper edge of the first monitor to the secondary monitor. (BZ#1075240)
* If the Gnome Display Manager (GDM) user list was disabled and a user entered the user name, the password prompt did not appear. Instead, the user had to enter the user name one more time. The GDM code that contained this error has been fixed, and users can enter their user names and passwords as expected. (BZ#1109530)
* Prior to this update, only a small area was available on the GDM login screen for a custom text banner. As a consequence, when a long banner was used, it did not fit into the area, and the person reading the banner had to use scrollbars to view the whole text. With this update, more space is used for the banner if necessary, which allows the user to read the message conveniently. (BZ#1110036)
* When the Cancel button was pressed while an LDAP user name and password was being validated, the GDM code did not handle the situation correctly. As a consequence, GDM became unresponsive, and it was impossible to return to the login screen. The affected code has been fixed, and LDAP user validation can be canceled, allowing another user to log in instead. (BZ#1137041)
* If the window focus mode in GNOME was set to "mouse" or "sloppy", navigating through areas of a pop-up menu displayed outside its parent window caused the window to lose its focus. Consequently, the menu was not usable. This has been fixed, and the window focus is kept in under this scenario. (BZ#1149585)
* If user authentication is configured to require a smart card to log in, user names are obtained from the smart card. The authentication is then performed by entering the smart card PIN. Prior to this update, the login screen allowed a user name to be entered if no smart card was inserted, but due to a bug in the underlying code, the screen became unresponsive. If, on the other hand, a smart card was used for authentication, the user was logged in as soon as the authentication was complete. As a consequence, it was impossible to select a session other than GNOME Classic. Both of these problems have been fixed. Now, a smart card is required when this type of authentication is enabled, and any other installed session can be selected by the user. (BZ#1159385, BZ#1163474)
In addition, this update adds the following enhancement:
* Support for quad-buffer OpenGL stereo visuals has been added. As a result, OpenGL applications that use quad-buffer stereo can be run and properly displayed within the GNOME desktop when used with a video driver and hardware with the necessary capabilities. (BZ#861507, BZ#1108890, BZ#1108891, BZ#1108893)
All GNOME Shell users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7300">CVE-2014-7300</cve>
<bugzilla href="https://bugzilla.redhat.com/1043571" id="1043571">Timed Login Failure</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1052201" id="1052201">Details -- Default Applications -- calendar</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1092102" id="1092102">workspaces thumbnails in overview too narrow with large number of workspaces</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1108322" id="1108322">Qt menu placement problem with gnome-shell and vertical monitors</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1126754" id="1126754">Workspace window placement is not persistent if monitors are switched</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1137041" id="1137041">GDM hangs when cancelling ldap user login</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1147917" id="1147917">CVE-2014-7300 gnome-shell: lockscreen bypass with printscreen key</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1149585" id="1149585">sloppy/mouse focus mode break with long pull-down menus</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1153641" id="1153641">[multi-head] Window is moved on its own to other screen</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1154107" id="1154107">CVE-2014-7300 gnome-shell: lockscreen bypass with printscreen key [rhel-7.1]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1154122" id="1154122">Respect disable-save-to-disk lockdown setting</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159385" id="1159385">GDM does not prompt for smartcard</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163474" id="1163474">pam_pkcs11 with card_only breaks session selection</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="cogl is earlier than 0:1.14.0-6.el7" test_ref="oval:com.redhat.rhsa:tst:20150535005"/>
<criterion comment="cogl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535006"/>
</criteria>
<criteria operator="AND">
<criterion comment="cogl-devel is earlier than 0:1.14.0-6.el7" test_ref="oval:com.redhat.rhsa:tst:20150535009"/>
<criterion comment="cogl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535010"/>
</criteria>
<criteria operator="AND">
<criterion comment="cogl-doc is earlier than 0:1.14.0-6.el7" test_ref="oval:com.redhat.rhsa:tst:20150535007"/>
<criterion comment="cogl-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535008"/>
</criteria>
<criteria operator="AND">
<criterion comment="clutter is earlier than 0:1.14.4-12.el7" test_ref="oval:com.redhat.rhsa:tst:20150535011"/>
<criterion comment="clutter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535012"/>
</criteria>
<criteria operator="AND">
<criterion comment="clutter-devel is earlier than 0:1.14.4-12.el7" test_ref="oval:com.redhat.rhsa:tst:20150535013"/>
<criterion comment="clutter-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535014"/>
</criteria>
<criteria operator="AND">
<criterion comment="clutter-doc is earlier than 0:1.14.4-12.el7" test_ref="oval:com.redhat.rhsa:tst:20150535015"/>
<criterion comment="clutter-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535016"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnome-shell is earlier than 0:3.8.4-45.el7" test_ref="oval:com.redhat.rhsa:tst:20150535017"/>
<criterion comment="gnome-shell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535018"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnome-shell-browser-plugin is earlier than 0:3.8.4-45.el7" test_ref="oval:com.redhat.rhsa:tst:20150535019"/>
<criterion comment="gnome-shell-browser-plugin is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535020"/>
</criteria>
<criteria operator="AND">
<criterion comment="mutter is earlier than 0:3.8.4-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150535021"/>
<criterion comment="mutter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535022"/>
</criteria>
<criteria operator="AND">
<criterion comment="mutter-devel is earlier than 0:3.8.4-16.el7" test_ref="oval:com.redhat.rhsa:tst:20150535023"/>
<criterion comment="mutter-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535024"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150642" version="601">
<metadata>
<title>RHSA-2015:0642: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0642-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0642.html" source="RHSA"/>
<reference ref_id="CVE-2015-0822" ref_url="https://access.redhat.com/security/cve/CVE-2015-0822" source="CVE"/>
<reference ref_id="CVE-2015-0827" ref_url="https://access.redhat.com/security/cve/CVE-2015-0827" source="CVE"/>
<reference ref_id="CVE-2015-0831" ref_url="https://access.redhat.com/security/cve/CVE-2015-0831" source="CVE"/>
<reference ref_id="CVE-2015-0836" ref_url="https://access.redhat.com/security/cve/CVE-2015-0836" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-0836, CVE-2015-0831, CVE-2015-0827)
An information leak flaw was found in the way Thunderbird implemented
autocomplete forms. An attacker able to trick a user into specifying a
local file in the form could use this flaw to access the contents of that
file. (CVE-2015-0822)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Carsten Book, Christoph Diehl, Gary Kwong, Jan de
Mooij, Liz Henry, Byron Campen, Tom Schuster, Ryan VanderMeulen, Paul
Bandha, Abhishek Arya, and Armin Razmdjou as the original reporters of
these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 31.5.0. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 31.5.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-05"/>
<updated date="2015-03-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0822">CVE-2015-0822</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0827">CVE-2015-0827</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0831">CVE-2015-0831</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0836">CVE-2015-0836</cve>
<bugzilla href="https://bugzilla.redhat.com/1195605" id="1195605">CVE-2015-0836 Mozilla: Miscellaneous memory safety hazards (rv:31.5) (MFSA 2015-11)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195619" id="1195619">CVE-2015-0831 Mozilla: Use-after-free in IndexedDB (MFSA 2015-16)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195623" id="1195623">CVE-2015-0827 Mozilla: Out-of-bounds read and write while rendering SVG content (MFSA 2015-19)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195638" id="1195638">CVE-2015-0822 Mozilla: Reading of local files through manipulation of form autocomplete (MFSA 2015-24)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.5.0-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150642005"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150672" version="601">
<metadata>
<title>RHSA-2015:0672: bind security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0672-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0672.html" source="RHSA"/>
<reference ref_id="CVE-2015-1349" ref_url="https://access.redhat.com/security/cve/CVE-2015-1349" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A flaw was found in the way BIND handled trust anchor management. A remote
attacker could use this flaw to cause the BIND daemon (named) to crash
under certain conditions. (CVE-2015-1349)
Red Hat would like to thank ISC for reporting this issue.
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-10"/>
<updated date="2015-03-11"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1349">CVE-2015-1349</cve>
<bugzilla href="https://bugzilla.redhat.com/1193820" id="1193820">CVE-2015-1349 bind: issue in trust anchor management can cause named to crash</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.8.2-0.30.rc1.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20150672005"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.8.2-0.30.rc1.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20150672011"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.8.2-0.30.rc1.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20150672009"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.8.2-0.30.rc1.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20150672007"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.8.2-0.30.rc1.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20150672013"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.8.2-0.30.rc1.el6_6.2" test_ref="oval:com.redhat.rhsa:tst:20150672015"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672021"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672033"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672030"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672023"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672026"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672031"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672028"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672034"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672024"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-18.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150672022"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150696" version="601">
<metadata>
<title>RHSA-2015:0696: freetype security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0696-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0696.html" source="RHSA"/>
<reference ref_id="CVE-2014-9657" ref_url="https://access.redhat.com/security/cve/CVE-2014-9657" source="CVE"/>
<reference ref_id="CVE-2014-9658" ref_url="https://access.redhat.com/security/cve/CVE-2014-9658" source="CVE"/>
<reference ref_id="CVE-2014-9660" ref_url="https://access.redhat.com/security/cve/CVE-2014-9660" source="CVE"/>
<reference ref_id="CVE-2014-9661" ref_url="https://access.redhat.com/security/cve/CVE-2014-9661" source="CVE"/>
<reference ref_id="CVE-2014-9663" ref_url="https://access.redhat.com/security/cve/CVE-2014-9663" source="CVE"/>
<reference ref_id="CVE-2014-9664" ref_url="https://access.redhat.com/security/cve/CVE-2014-9664" source="CVE"/>
<reference ref_id="CVE-2014-9667" ref_url="https://access.redhat.com/security/cve/CVE-2014-9667" source="CVE"/>
<reference ref_id="CVE-2014-9669" ref_url="https://access.redhat.com/security/cve/CVE-2014-9669" source="CVE"/>
<reference ref_id="CVE-2014-9670" ref_url="https://access.redhat.com/security/cve/CVE-2014-9670" source="CVE"/>
<reference ref_id="CVE-2014-9671" ref_url="https://access.redhat.com/security/cve/CVE-2014-9671" source="CVE"/>
<reference ref_id="CVE-2014-9673" ref_url="https://access.redhat.com/security/cve/CVE-2014-9673" source="CVE"/>
<reference ref_id="CVE-2014-9674" ref_url="https://access.redhat.com/security/cve/CVE-2014-9674" source="CVE"/>
<reference ref_id="CVE-2014-9675" ref_url="https://access.redhat.com/security/cve/CVE-2014-9675" source="CVE"/>
<description>FreeType is a free, high-quality, portable font engine that can open and
manage font files. It also loads, hints, and renders individual glyphs
efficiently.
Multiple integer overflow flaws and an integer signedness flaw, leading to
heap-based buffer overflows, were found in the way FreeType handled Mac
fonts. If a specially crafted font file was loaded by an application linked
against FreeType, it could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the
application. (CVE-2014-9673, CVE-2014-9674)
Multiple flaws were found in the way FreeType handled fonts in various
formats. If a specially crafted font file was loaded by an application
linked against FreeType, it could cause the application to crash or,
possibly, disclose a portion of the application memory. (CVE-2014-9657,
CVE-2014-9658, CVE-2014-9660, CVE-2014-9661, CVE-2014-9663, CVE-2014-9664,
CVE-2014-9667, CVE-2014-9669, CVE-2014-9670, CVE-2014-9671, CVE-2014-9675)
All freetype users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The X server must be
restarted (log out, then log back in) for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-17"/>
<updated date="2015-03-17"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9657">CVE-2014-9657</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9658">CVE-2014-9658</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9660">CVE-2014-9660</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9661">CVE-2014-9661</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9663">CVE-2014-9663</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9664">CVE-2014-9664</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9667">CVE-2014-9667</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9669">CVE-2014-9669</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9670">CVE-2014-9670</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9671">CVE-2014-9671</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9673">CVE-2014-9673</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9674">CVE-2014-9674</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9675">CVE-2014-9675</cve>
<bugzilla href="https://bugzilla.redhat.com/1191079" id="1191079">CVE-2014-9657 freetype: off-by-one buffer over-read in tt_face_load_hdmx()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191080" id="1191080">CVE-2014-9658 freetype: buffer over-read and integer underflow in tt_face_load_kern()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191082" id="1191082">CVE-2014-9660 freetype: missing ENDCHAR NULL pointer dereference in the _bdf_parse_glyphs()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191083" id="1191083">CVE-2014-9661 freetype: out of bounds read in Type42 font parser</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191085" id="1191085">CVE-2014-9663 freetype: out-of-bounds read in tt_cmap4_validate()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191086" id="1191086">CVE-2014-9664 freetype: off-by-one buffer over-read in parse_charstrings() / t42_parse_charstrings()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191090" id="1191090">CVE-2014-9667 freetype: integer overflow in tt_face_load_font_dir() leading to out-of-bounds read</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191092" id="1191092">CVE-2014-9669 freetype: multiple integer overflows leading to buffer over-reads in cmap handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191093" id="1191093">CVE-2014-9670 freetype: integer overflow in pcf_get_encodings() leading to NULL pointer dereference</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191094" id="1191094">CVE-2014-9671 freetype: integer overflow in pcf_get_properties() leading to NULL pointer dereference</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191096" id="1191096">CVE-2014-9673 freetype: integer signedness error in Mac_Read_POST_Resource() leading to heap-based buffer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191190" id="1191190">CVE-2014-9674 freetype: multiple integer overflows Mac_Read_POST_Resource() leading to heap-based buffer overflows</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191192" id="1191192">CVE-2014-9675 freetype: information leak in _bdf_add_property()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="freetype is earlier than 0:2.3.11-15.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20150696005"/>
<criterion comment="freetype is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150696006"/>
</criteria>
<criteria operator="AND">
<criterion comment="freetype-demos is earlier than 0:2.3.11-15.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20150696009"/>
<criterion comment="freetype-demos is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150696010"/>
</criteria>
<criteria operator="AND">
<criterion comment="freetype-devel is earlier than 0:2.3.11-15.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20150696007"/>
<criterion comment="freetype-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150696008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="freetype is earlier than 0:2.4.11-10.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150696015"/>
<criterion comment="freetype is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150696006"/>
</criteria>
<criteria operator="AND">
<criterion comment="freetype-demos is earlier than 0:2.4.11-10.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150696017"/>
<criterion comment="freetype-demos is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150696010"/>
</criteria>
<criteria operator="AND">
<criterion comment="freetype-devel is earlier than 0:2.4.11-10.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20150696016"/>
<criterion comment="freetype-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150696008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150700" version="601">
<metadata>
<title>RHSA-2015:0700: unzip security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0700-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0700.html" source="RHSA"/>
<reference ref_id="CVE-2014-8139" ref_url="https://access.redhat.com/security/cve/CVE-2014-8139" source="CVE"/>
<reference ref_id="CVE-2014-8140" ref_url="https://access.redhat.com/security/cve/CVE-2014-8140" source="CVE"/>
<reference ref_id="CVE-2014-8141" ref_url="https://access.redhat.com/security/cve/CVE-2014-8141" source="CVE"/>
<reference ref_id="CVE-2014-9636" ref_url="https://access.redhat.com/security/cve/CVE-2014-9636" source="CVE"/>
<description>The unzip utility is used to list, test, or extract files from a
zip archive.
A buffer overflow was found in the way unzip uncompressed certain extra
fields of a file. A specially crafted Zip archive could cause unzip to
crash or, possibly, execute arbitrary code when the archive was tested with
unzip's '-t' option. (CVE-2014-9636)
A buffer overflow flaw was found in the way unzip computed the CRC32
checksum of certain extra fields of a file. A specially crafted Zip archive
could cause unzip to crash when the archive was tested with unzip's '-t'
option. (CVE-2014-8139)
An integer underflow flaw, leading to a buffer overflow, was found in the
way unzip uncompressed certain extra fields of a file. A specially crafted
Zip archive could cause unzip to crash when the archive was tested with
unzip's '-t' option. (CVE-2014-8140)
A buffer overflow flaw was found in the way unzip handled Zip64 files.
A specially crafted Zip archive could possibly cause unzip to crash when
the archive was uncompressed. (CVE-2014-8141)
Red Hat would like to thank oCERT for reporting the CVE-2014-8139,
CVE-2014-8140, and CVE-2014-8141 issues. oCERT acknowledges Michele
Spagnuolo of the Google Security Team as the original reporter of
these issues.
All unzip users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-18"/>
<updated date="2015-03-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8139">CVE-2014-8139</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8140">CVE-2014-8140</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8141">CVE-2014-8141</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9636">CVE-2014-9636</cve>
<bugzilla href="https://bugzilla.redhat.com/1174844" id="1174844">CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-2014-011)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174851" id="1174851">CVE-2014-8140 unzip: out-of-bounds write issue in test_compr_eb() (oCERT-2014-011)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174856" id="1174856">CVE-2014-8141 unzip: getZip64Data() out-of-bounds read issues (oCERT-2014-011)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184985" id="1184985">CVE-2014-9636 unzip: out-of-bounds read/write in test_compr_eb() in extract.c</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="unzip is earlier than 0:6.0-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150700005"/>
<criterion comment="unzip is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150700006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="unzip is earlier than 0:6.0-15.el7" test_ref="oval:com.redhat.rhsa:tst:20150700011"/>
<criterion comment="unzip is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150700006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150716" version="602">
<metadata>
<title>RHSA-2015:0716: openssl security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0716-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0716.html" source="RHSA"/>
<reference ref_id="CVE-2015-0209" ref_url="https://access.redhat.com/security/cve/CVE-2015-0209" source="CVE"/>
<reference ref_id="CVE-2015-0286" ref_url="https://access.redhat.com/security/cve/CVE-2015-0286" source="CVE"/>
<reference ref_id="CVE-2015-0287" ref_url="https://access.redhat.com/security/cve/CVE-2015-0287" source="CVE"/>
<reference ref_id="CVE-2015-0288" ref_url="https://access.redhat.com/security/cve/CVE-2015-0288" source="CVE"/>
<reference ref_id="CVE-2015-0289" ref_url="https://access.redhat.com/security/cve/CVE-2015-0289" source="CVE"/>
<reference ref_id="CVE-2015-0292" ref_url="https://access.redhat.com/security/cve/CVE-2015-0292" source="CVE"/>
<reference ref_id="CVE-2015-0293" ref_url="https://access.redhat.com/security/cve/CVE-2015-0293" source="CVE"/>
<reference ref_id="CVE-2016-0703" ref_url="https://access.redhat.com/security/cve/CVE-2016-0703" source="CVE"/>
<reference ref_id="CVE-2016-0704" ref_url="https://access.redhat.com/security/cve/CVE-2016-0704" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
An invalid pointer use flaw was found in OpenSSL's ASN1_TYPE_cmp()
function. A remote attacker could crash a TLS/SSL client or server using
OpenSSL via a specially crafted X.509 certificate when the
attacker-supplied certificate was verified by the application.
(CVE-2015-0286)
An integer underflow flaw, leading to a buffer overflow, was found in the
way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to
make an application using OpenSSL decode a specially crafted Base64-encoded
input (such as a PEM file) could use this flaw to cause the application to
crash. Note: this flaw is not exploitable via the TLS/SSL protocol because
the data being transferred is not Base64-encoded. (CVE-2015-0292)
A denial of service flaw was found in the way OpenSSL handled SSLv2
handshake messages. A remote attacker could use this flaw to cause a
TLS/SSL server using OpenSSL to exit on a failed assertion if it had both
the SSLv2 protocol and EXPORT-grade cipher suites enabled. (CVE-2015-0293)
A use-after-free flaw was found in the way OpenSSL imported malformed
Elliptic Curve private keys. A specially crafted key file could cause an
application using OpenSSL to crash when imported. (CVE-2015-0209)
An out-of-bounds write flaw was found in the way OpenSSL reused certain
ASN.1 structures. A remote attacker could possibly use a specially crafted
ASN.1 structure that, when parsed by an application, would cause that
application to crash. (CVE-2015-0287)
A NULL pointer dereference flaw was found in OpenSSL's X.509 certificate
handling implementation. A specially crafted X.509 certificate could cause
an application using OpenSSL to crash if the application attempted to
convert the certificate to a certificate request. (CVE-2015-0288)
A NULL pointer dereference was found in the way OpenSSL handled certain
PKCS#7 inputs. An attacker able to make an application using OpenSSL
verify, decrypt, or parse a specially crafted PKCS#7 input could cause that
application to crash. TLS/SSL clients and servers using OpenSSL were not
affected by this flaw. (CVE-2015-0289)
Red Hat would like to thank the OpenSSL project for reporting
CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292,
and CVE-2015-0293. Upstream acknowledges Stephen Henson of the OpenSSL
development team as the original reporter of CVE-2015-0286, Emilia Käsper
of the OpenSSL development team as the original reporter of CVE-2015-0287,
Brian Carpenter as the original reporter of CVE-2015-0288, Michal Zalewski
of Google as the original reporter of CVE-2015-0289, Robert Dugal and David
Ramos as the original reporters of CVE-2015-0292, and Sean Burford of
Google and Emilia Käsper of the OpenSSL development team as the original
reporters of CVE-2015-0293.
This update also fixes the following bug:
* When a wrapped Advanced Encryption Standard (AES) key did not require any
padding, it was incorrectly padded with 8 bytes, which could lead to data
corruption and interoperability problems. With this update, the rounding
algorithm in the RFC 5649 key wrapping implementation has been fixed. As a
result, the wrapped key conforms to the specification, which prevents the
described problems. (BZ#1197667)
All openssl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-23"/>
<updated date="2015-03-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0209">CVE-2015-0209</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0286">CVE-2015-0286</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0287">CVE-2015-0287</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0288">CVE-2015-0288</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0289">CVE-2015-0289</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0292">CVE-2015-0292</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0293">CVE-2015-0293</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0703">CVE-2016-0703</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0704">CVE-2016-0704</cve>
<bugzilla href="https://bugzilla.redhat.com/1196737" id="1196737">CVE-2015-0209 openssl: use-after-free on invalid EC private key import</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202366" id="1202366">CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202380" id="1202380">CVE-2015-0287 openssl: ASN.1 structure reuse memory corruption</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202384" id="1202384">CVE-2015-0289 openssl: PKCS7 NULL pointer dereference</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202395" id="1202395">CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202404" id="1202404">CVE-2015-0293 openssl: assertion failure in SSLv2 servers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202418" id="1202418">CVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-42.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20150716005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-42.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20150716007"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-42.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20150716011"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-42.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20150716009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-42.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20150716013"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150718" version="601">
<metadata>
<title>RHSA-2015:0718: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0718-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0718.html" source="RHSA"/>
<reference ref_id="CVE-2015-0817" ref_url="https://access.redhat.com/security/cve/CVE-2015-0817" source="CVE"/>
<reference ref_id="CVE-2015-0818" ref_url="https://access.redhat.com/security/cve/CVE-2015-0818" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Two flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2015-0817, CVE-2015-0818)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges ilxu1a and Mariusz Mlynski as the original reporters
of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 31.5.3 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-24"/>
<updated date="2015-03-24"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0817">CVE-2015-0817</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0818">CVE-2015-0818</cve>
<bugzilla href="https://bugzilla.redhat.com/1204362" id="1204362">CVE-2015-0817 Mozilla: Code execution through incorrect JavaScript bounds checking elimination (MFSA 2015-29)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1204363" id="1204363">CVE-2015-0818 Mozilla: Privilege escalation through SVG navigation (MFSA 2015-28)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:31.5.3-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150718002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.5.3-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150718008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.5.3-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150718014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150726" version="601">
<metadata>
<title>RHSA-2015:0726: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0726-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0726.html" source="RHSA"/>
<reference ref_id="CVE-2014-8159" ref_url="https://access.redhat.com/security/cve/CVE-2014-8159" source="CVE"/>
<reference ref_id="CVE-2015-1421" ref_url="https://access.redhat.com/security/cve/CVE-2015-1421" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's Infiniband subsystem did not
properly sanitize input parameters while registering memory regions from
user space via the (u)verbs API. A local user with access to a
/dev/infiniband/uverbsX device could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2014-8159,
Important)
* A use-after-free flaw was found in the way the Linux kernel's SCTP
implementation handled authentication key reference counting during INIT
collisions. A remote attacker could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2015-1421,
Important)
Red Hat would like to thank Mellanox for reporting the CVE-2014-8159 issue.
The CVE-2015-1421 issue was discovered by Sun Baoliang of Red Hat.
This update also fixes the following bugs:
* In certain systems with multiple CPUs, when a crash was triggered on one
CPU with an interrupt handler and this CPU sent Non-Maskable Interrupt
(NMI) to another CPU, and, at the same time, ioapic_lock had already been
acquired, a deadlock occurred in ioapic_lock. As a consequence, the kdump
service could become unresponsive. This bug has been fixed and kdump now
works as expected. (BZ#1197742)
* On Lenovo X1 Carbon 3rd Gen, X250, and T550 laptops, the thinkpad_acpi
module was not properly loaded, and thus the function keys and radio
switches did not work. This update applies a new string pattern of BIOS
version, which fixes this bug, and function keys and radio switches now
work as intended. (BZ#1197743)
* During a heavy file system load involving many worker threads, all worker
threads in the pool became blocked on a resource, and no manager thread
existed to create more workers. As a consequence, the running processes
became unresponsive. With this update, the logic around manager creation
has been changed to assure that the last worker thread becomes a manager
thread and does not start executing work items. Now, a manager thread
exists, spawns new workers as needed, and processes no longer hang.
(BZ#1197744)
* If a thin-pool's metadata enters read-only or fail mode, for example, due
to thin-pool running out of metadata or data space, any attempt to make
metadata changes such as creating a thin device or snapshot thin device
should error out cleanly. However, previously, the kernel code returned
verbose and alarming error messages to the user. With this update, due to
early trapping of attempt to make metadata changes, informative errors are
displayed, no longer unnecessarily alarming the user. (BZ#1197745)
* When running Red Hat Enterprise Linux as a guest on Microsoft Hyper-V
hypervisor, the storvsc module did not return the correct error code for
the upper level Small Computer System Interface (SCSI) subsystem. As a
consequence, a SCSI command failed and storvsc did not handle such a
failure properly under some conditions, for example, when RAID devices were
created on top of storvsc devices. An upstream patch has been applied to
fix this bug, and storvsc now returns the correct error code in the
described situation. (BZ#1197749)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-26"/>
<updated date="2015-03-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8159">CVE-2014-8159</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1421">CVE-2015-1421</cve>
<bugzilla href="https://bugzilla.redhat.com/1181166" id="1181166">CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1196581" id="1196581">CVE-2015-1421 kernel: net: slab corruption from use after free on INIT collisions</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726005"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726033"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726025"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726017"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726009"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726023"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726031"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726007"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726029"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726027"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726021"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726019"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726013"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726015"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.1.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150726011"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150727" version="601">
<metadata>
<title>RHSA-2015:0727: kernel-rt security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0727-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0727.html" source="RHSA"/>
<reference ref_id="CVE-2014-8159" ref_url="https://access.redhat.com/security/cve/CVE-2014-8159" source="CVE"/>
<reference ref_id="CVE-2015-1421" ref_url="https://access.redhat.com/security/cve/CVE-2015-1421" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's Infiniband subsystem did not
properly sanitize input parameters while registering memory regions from
user space via the (u)verbs API. A local user with access to a
/dev/infiniband/uverbsX device could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2014-8159,
Important)
* A use-after-free flaw was found in the way the Linux kernel's SCTP
implementation handled authentication key reference counting during INIT
collisions. A remote attacker could use this flaw to crash the system or,
potentially, escalate their privileges on the system. (CVE-2015-1421,
Important)
Red Hat would like to thank Mellanox for reporting the CVE-2014-8159 issue.
The CVE-2015-1421 issue was discovered by Sun Baoliang of Red Hat.
The kernel-rt packages have been upgraded to version 3.10.0-229.1.2, which
provides a number of bug fixes over the previous version, including:
- The kdump service could become unresponsive due to a deadlock in the
kernel call ioapic_lock.
- Attempt to make metadata changes such as creating a thin device or
snapshot thin device did not error out cleanly.
(BZ#1203359)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues. The system must be rebooted for this update to take
effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-26"/>
<updated date="2015-03-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8159">CVE-2014-8159</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1421">CVE-2015-1421</cve>
<bugzilla href="https://bugzilla.redhat.com/1181166" id="1181166">CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1196581" id="1196581">CVE-2015-1421 kernel: net: slab corruption from use after free on INIT collisions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203359" id="1203359">kernel-rt: rebase tree to match RHEL7.1.z source tree</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727005"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727013"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727015"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727011"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727021"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727007"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727009"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727017"/>
<criterion comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150727019"/>
<criterion comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150728" version="601">
<metadata>
<title>RHSA-2015:0728: ipa and slapi-nis security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0728-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0728.html" source="RHSA"/>
<reference ref_id="CVE-2015-0283" ref_url="https://access.redhat.com/security/cve/CVE-2015-0283" source="CVE"/>
<reference ref_id="CVE-2015-1827" ref_url="https://access.redhat.com/security/cve/CVE-2015-1827" source="CVE"/>
<description>Red Hat Identity Management is a centralized authentication, identity
management, and authorization solution for both traditional and cloud-based
enterprise environments. It integrates components of the Red Hat Directory
Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides
web browser and command-line interfaces. Its administration tools allow an
administrator to quickly install, set up, and administer a group of domain
controllers to meet the authentication and identity management requirements
of large-scale Linux and UNIX deployments.
The ipa component provides centrally managed Identity, Policy, and Audit.
The slapi-nis component provides NIS Server and Schema Compatibility
plug-ins for Directory Server.
It was discovered that the IPA extdom Directory Server plug-in did not
correctly perform memory reallocation when handling user account
information. A request for a list of groups for a user that belongs to a
large number of groups would cause a Directory Server to crash.
(CVE-2015-1827)
It was discovered that the slapi-nis Directory Server plug-in did not
correctly perform memory reallocation when handling user account
information. A request for information about a group with many members, or
a request for a user that belongs to a large number of groups, would cause
a Directory Server to enter an infinite loop and consume an excessive
amount of CPU time. (CVE-2015-0283)
These issues were discovered by Sumit Bose of Red Hat.
This update fixes the following bugs:
* Previously, users of IdM were not properly granted the default permission
to read the "facsimiletelephonenumber" user attribute. This update adds
"facsimiletelephonenumber" to the Access Control Instruction (ACI) for user
data, which makes the attribute readable to authenticated users as
expected. (BZ#1198430)
* Prior to this update, when a DNS zone was saved in an LDAP database
without a dot character (.) at the end, internal DNS commands and
operations, such as dnsrecord-* or dnszone-*, failed. With this update, DNS
commands always supply the DNS zone with a dot character at the end, which
prevents the described problem. (BZ#1198431)
* After a full-server IdM restore operation, the restored server in some
cases contained invalid data. In addition, if the restored server was used
to reinitialize a replica, the replica then contained invalid data as well.
To fix this problem, the IdM API is now created correctly during the
restore operation, and *.ldif files are not skipped during the removal of
RUV data. As a result, the restored server and its replica no longer
contain invalid data. (BZ#1199060)
* Previously, a deadlock in some cases occurred during an IdM upgrade,
which could cause the IdM server to become unresponsive. With this update,
the Schema Compatibility plug-in has been adjusted not to parse the subtree
that contains the configuration of the DNA plug-in, which prevents this
deadlock from triggering. (BZ#1199128)
* When using the extdom plug-in of IdM to handle large groups, user lookups
and group lookups previously failed due to insufficient buffer size.
With this update, the getgrgid_r() call gradually increases the buffer
length if needed, and the described failure of extdom thus no longer
occurs. (BZ#1203204)
Users of ipa and slapi-nis are advised to upgrade to these updated
packages, which correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-26"/>
<updated date="2015-03-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0283">CVE-2015-0283</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1827">CVE-2015-1827</cve>
<bugzilla href="https://bugzilla.redhat.com/1195729" id="1195729">CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198430" id="1198430">Fax number not displayed for user-show when kinit'ed as normal user.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198431" id="1198431">"an internal error has occurred" during ipa host-del --updatedns</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199060" id="1199060">Replication agreement with replica not disabled when ipa-restore done without IPA installed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199128" id="1199128">Limit deadlocks between DS plugin DNA and slapi-nis</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205200" id="1205200">CVE-2015-1827 ipa: memory corruption when using get_user_grouplist()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="slapi-nis is earlier than 0:0.54-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150728005"/>
<criterion comment="slapi-nis is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150728006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa is earlier than 0:4.1.0-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20150728007"/>
<criterion comment="ipa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-admintools is earlier than 0:4.1.0-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20150728011"/>
<criterion comment="ipa-admintools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442012"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-client is earlier than 0:4.1.0-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20150728013"/>
<criterion comment="ipa-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-python is earlier than 0:4.1.0-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20150728009"/>
<criterion comment="ipa-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442008"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-server is earlier than 0:4.1.0-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20150728015"/>
<criterion comment="ipa-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ipa-server-trust-ad is earlier than 0:4.1.0-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20150728017"/>
<criterion comment="ipa-server-trust-ad is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150442016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150729" version="601">
<metadata>
<title>RHSA-2015:0729: setroubleshoot security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:0729-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0729.html" source="RHSA"/>
<reference ref_id="CVE-2015-1815" ref_url="https://access.redhat.com/security/cve/CVE-2015-1815" source="CVE"/>
<description>The setroubleshoot packages provide tools to help diagnose SELinux
problems. When Access Vector Cache (AVC) messages are returned, an alert
can be generated that provides information about the problem and helps to
track its resolution.
It was found that setroubleshoot did not sanitize file names supplied in a
shell command look-up for RPMs associated with access violation reports.
An attacker could use this flaw to escalate their privileges on the system
by supplying a specially crafted file to the underlying shell command.
(CVE-2015-1815)
Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.
All setroubleshoot users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-26"/>
<updated date="2015-03-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1815">CVE-2015-1815</cve>
<bugzilla href="https://bugzilla.redhat.com/1203352" id="1203352">CVE-2015-1815 setroubleshoot: command injection via crafted file name</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="setroubleshoot is earlier than 0:2.0.5-7.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150729002"/>
<criterion comment="setroubleshoot is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150729003"/>
</criteria>
<criteria operator="AND">
<criterion comment="setroubleshoot-server is earlier than 0:2.0.5-7.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150729004"/>
<criterion comment="setroubleshoot-server is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150729005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="setroubleshoot is earlier than 0:3.0.47-6.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20150729010"/>
<criterion comment="setroubleshoot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150729011"/>
</criteria>
<criteria operator="AND">
<criterion comment="setroubleshoot-doc is earlier than 0:3.0.47-6.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20150729012"/>
<criterion comment="setroubleshoot-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150729013"/>
</criteria>
<criteria operator="AND">
<criterion comment="setroubleshoot-server is earlier than 0:3.0.47-6.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20150729014"/>
<criterion comment="setroubleshoot-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150729015"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="setroubleshoot is earlier than 0:3.2.17-4.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150729020"/>
<criterion comment="setroubleshoot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150729011"/>
</criteria>
<criteria operator="AND">
<criterion comment="setroubleshoot-server is earlier than 0:3.2.17-4.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150729021"/>
<criterion comment="setroubleshoot-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150729015"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150749" version="601">
<metadata>
<title>RHSA-2015:0749: libxml2 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0749-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0749.html" source="RHSA"/>
<reference ref_id="CVE-2014-0191" ref_url="https://access.redhat.com/security/cve/CVE-2014-0191" source="CVE"/>
<description>The libxml2 library is a development toolbox providing the implementation
of various XML standards.
It was discovered that libxml2 loaded external parameter entities even when
entity substitution was disabled. A remote attacker able to provide a
specially crafted XML file to an application linked against libxml2 could
use this flaw to conduct XML External Entity (XXE) attacks, possibly
resulting in a denial of service or an information leak on the system.
(CVE-2014-0191)
The CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat.
All libxml2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The desktop must be
restarted (log out, then log back in) for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-30"/>
<updated date="2015-03-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0191">CVE-2014-0191</cve>
<bugzilla href="https://bugzilla.redhat.com/1090976" id="1090976">CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libxml2 is earlier than 0:2.9.1-5.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150749005"/>
<criterion comment="libxml2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-devel is earlier than 0:2.9.1-5.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150749007"/>
<criterion comment="libxml2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-python is earlier than 0:2.9.1-5.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150749009"/>
<criterion comment="libxml2-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-static is earlier than 0:2.9.1-5.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150749011"/>
<criterion comment="libxml2-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150750" version="601">
<metadata>
<title>RHSA-2015:0750: postgresql security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0750-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0750.html" source="RHSA"/>
<reference ref_id="CVE-2014-8161" ref_url="https://access.redhat.com/security/cve/CVE-2014-8161" source="CVE"/>
<reference ref_id="CVE-2015-0241" ref_url="https://access.redhat.com/security/cve/CVE-2015-0241" source="CVE"/>
<reference ref_id="CVE-2015-0243" ref_url="https://access.redhat.com/security/cve/CVE-2015-0243" source="CVE"/>
<reference ref_id="CVE-2015-0244" ref_url="https://access.redhat.com/security/cve/CVE-2015-0244" source="CVE"/>
<description>PostgreSQL is an advanced object-relational database management system
(DBMS).
An information leak flaw was found in the way the PostgreSQL database
server handled certain error messages. An authenticated database user could
possibly obtain the results of a query they did not have privileges to
execute by observing the constraint violation error messages produced when
the query was executed. (CVE-2014-8161)
A buffer overflow flaw was found in the way PostgreSQL handled certain
numeric formatting. An authenticated database user could use a specially
crafted timestamp formatting template to cause PostgreSQL to crash or,
under certain conditions, execute arbitrary code with the permissions of
the user running PostgreSQL. (CVE-2015-0241)
A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module.
An authenticated database user could use this flaw to cause PostgreSQL to
crash or, potentially, execute arbitrary code with the permissions of the
user running PostgreSQL. (CVE-2015-0243)
A flaw was found in the way PostgreSQL handled certain errors that were
generated during protocol synchronization. An authenticated database user
could use this flaw to inject queries into an existing connection.
(CVE-2015-0244)
Red Hat would like to thank the PostgreSQL project for reporting these
issues. Upstream acknowledges Stephen Frost as the original reporter of
CVE-2014-8161; Andres Freund, Peter Geoghegan, Bernd Helmle, and Noah Misch
as the original reporters of CVE-2015-0241; Marko Tiikkaja as the original
reporter of CVE-2015-0243; and Emil Lenngren as the original reporter of
CVE-2015-0244.
All PostgreSQL users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. If the postgresql
service is running, it will be automatically restarted after installing
this update.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-30"/>
<updated date="2015-03-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8161">CVE-2014-8161</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0241">CVE-2015-0241</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0243">CVE-2015-0243</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0244">CVE-2015-0244</cve>
<bugzilla href="https://bugzilla.redhat.com/1182043" id="1182043">CVE-2014-8161 postgresql: information leak through constraint violation errors</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188684" id="1188684">CVE-2015-0241 postgresql: buffer overflow in the to_char() function</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188689" id="1188689">CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188694" id="1188694">CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="postgresql is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750005"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750006"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-contrib is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750017"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750018"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-devel is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750013"/>
<criterion comment="postgresql-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750014"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-docs is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750015"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750016"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-libs is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750019"/>
<criterion comment="postgresql-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750020"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plperl is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750011"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750012"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plpython is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750007"/>
<criterion comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750008"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-pltcl is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750021"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750022"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-server is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750009"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750010"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-test is earlier than 0:8.4.20-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150750023"/>
<criterion comment="postgresql-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750024"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="postgresql is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750029"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750006"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-contrib is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750032"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750018"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-devel is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750034"/>
<criterion comment="postgresql-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750014"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-docs is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750039"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750016"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-libs is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750033"/>
<criterion comment="postgresql-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750020"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plperl is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750030"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750012"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plpython is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750031"/>
<criterion comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750008"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-pltcl is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750038"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750022"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-server is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750035"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750010"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-test is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750040"/>
<criterion comment="postgresql-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750024"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-upgrade is earlier than 0:9.2.10-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150750036"/>
<criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150766" version="601">
<metadata>
<title>RHSA-2015:0766: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0766-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0766.html" source="RHSA"/>
<reference ref_id="CVE-2015-0801" ref_url="https://access.redhat.com/security/cve/CVE-2015-0801" source="CVE"/>
<reference ref_id="CVE-2015-0807" ref_url="https://access.redhat.com/security/cve/CVE-2015-0807" source="CVE"/>
<reference ref_id="CVE-2015-0813" ref_url="https://access.redhat.com/security/cve/CVE-2015-0813" source="CVE"/>
<reference ref_id="CVE-2015-0815" ref_url="https://access.redhat.com/security/cve/CVE-2015-0815" source="CVE"/>
<reference ref_id="CVE-2015-0816" ref_url="https://access.redhat.com/security/cve/CVE-2015-0816" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-0813, CVE-2015-0815, CVE-2015-0801)
A flaw was found in the way documents were loaded via resource URLs in, for
example, Mozilla's PDF.js PDF file viewer. An attacker could use this flaw
to bypass certain restrictions and under certain conditions even execute
arbitrary code with the privileges of the user running Firefox.
(CVE-2015-0816)
A flaw was found in the Beacon interface implementation in Firefox. A web
page containing malicious content could allow a remote attacker to conduct
a Cross-Site Request Forgery (CSRF) attack. (CVE-2015-0807)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, Byron Campen, Steve Fink, Mariusz
Mlynski, Christoph Kerschbaumer, Muneaki Nishimura, Olli Pettay, Boris
Zbarsky, and Aki Helin as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 31.6.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-01"/>
<updated date="2015-04-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0801">CVE-2015-0801</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0807">CVE-2015-0807</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0813">CVE-2015-0813</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0815">CVE-2015-0815</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0816">CVE-2015-0816</cve>
<bugzilla href="https://bugzilla.redhat.com/1207068" id="1207068">CVE-2015-0815 Mozilla: Miscellaneous memory safety hazards (rv:31.6) (MFSA 2015-30)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207072" id="1207072">CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207076" id="1207076">CVE-2015-0807 Mozilla: CORS requests should not follow 30x redirections after preflight (MFSA 2015-36)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207084" id="1207084">CVE-2015-0801 Mozilla: Same-origin bypass through anchor navigation (MFSA 2015-40)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207088" id="1207088">CVE-2015-0813 Mozilla: Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:31.6.0-2.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150766002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.6.0-2.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150766008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xulrunner is earlier than 0:31.6.0-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150766014"/>
<criterion comment="xulrunner is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xulrunner-devel is earlier than 0:31.6.0-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150766016"/>
<criterion comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741018"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:31.6.0-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150766018"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150767" version="601">
<metadata>
<title>RHSA-2015:0767: flac security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0767-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0767.html" source="RHSA"/>
<reference ref_id="CVE-2014-8962" ref_url="https://access.redhat.com/security/cve/CVE-2014-8962" source="CVE"/>
<reference ref_id="CVE-2014-9028" ref_url="https://access.redhat.com/security/cve/CVE-2014-9028" source="CVE"/>
<description>The flac packages contain a decoder and an encoder for the FLAC (Free
Lossless Audio Codec) audio file format.
A buffer overflow flaw was found in the way flac decoded FLAC audio files.
An attacker could create a specially crafted FLAC audio file that could
cause an application using the flac library to crash or execute arbitrary
code when the file was read. (CVE-2014-9028)
A buffer over-read flaw was found in the way flac processed certain ID3v2
metadata. An attacker could create a specially crafted FLAC audio file that
could cause an application using the flac library to crash when the file
was read. (CVE-2014-8962)
All flac users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
update, all applications linked against the flac library must be restarted
for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-03-31"/>
<updated date="2015-04-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8962">CVE-2014-8962</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9028">CVE-2014-9028</cve>
<bugzilla href="https://bugzilla.redhat.com/1167236" id="1167236">CVE-2014-8962 flac: Buffer read overflow when processing ID3V2 metadata</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167741" id="1167741">CVE-2014-9028 flac: Heap buffer write overflow in read_residual_partitioned_rice_</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="flac is earlier than 0:1.2.1-7.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150767005"/>
<criterion comment="flac is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150767006"/>
</criteria>
<criteria operator="AND">
<criterion comment="flac-devel is earlier than 0:1.2.1-7.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150767007"/>
<criterion comment="flac-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150767008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="flac is earlier than 0:1.3.0-5.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150767013"/>
<criterion comment="flac is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150767006"/>
</criteria>
<criteria operator="AND">
<criterion comment="flac-devel is earlier than 0:1.3.0-5.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150767014"/>
<criterion comment="flac-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150767008"/>
</criteria>
<criteria operator="AND">
<criterion comment="flac-libs is earlier than 0:1.3.0-5.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150767015"/>
<criterion comment="flac-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150767016"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150771" version="601">
<metadata>
<title>RHSA-2015:0771: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:0771-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0771.html" source="RHSA"/>
<reference ref_id="CVE-2015-0801" ref_url="https://access.redhat.com/security/cve/CVE-2015-0801" source="CVE"/>
<reference ref_id="CVE-2015-0807" ref_url="https://access.redhat.com/security/cve/CVE-2015-0807" source="CVE"/>
<reference ref_id="CVE-2015-0813" ref_url="https://access.redhat.com/security/cve/CVE-2015-0813" source="CVE"/>
<reference ref_id="CVE-2015-0815" ref_url="https://access.redhat.com/security/cve/CVE-2015-0815" source="CVE"/>
<reference ref_id="CVE-2015-0816" ref_url="https://access.redhat.com/security/cve/CVE-2015-0816" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-0813, CVE-2015-0815, CVE-2015-0801)
A flaw was found in the way documents were loaded via resource URLs.
An attacker could use this flaw to bypass certain restrictions and under
certain conditions even execute arbitrary code with the privileges of the
user running Thunderbird. (CVE-2015-0816)
A flaw was found in the Beacon interface implementation in Thunderbird.
A web page containing malicious content could allow a remote attacker to
conduct a Cross-Site Request Forgery (CSRF) attack. (CVE-2015-0807)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, Byron Campen, Steve Fink, Mariusz
Mlynski, Christoph Kerschbaumer, Muneaki Nishimura, Olli Pettay, Boris
Zbarsky, and Aki Helin as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 31.6.0. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 31.6.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-01"/>
<updated date="2015-04-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0801">CVE-2015-0801</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0807">CVE-2015-0807</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0813">CVE-2015-0813</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0815">CVE-2015-0815</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0816">CVE-2015-0816</cve>
<bugzilla href="https://bugzilla.redhat.com/1207068" id="1207068">CVE-2015-0815 Mozilla: Miscellaneous memory safety hazards (rv:31.6) (MFSA 2015-30)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207072" id="1207072">CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207076" id="1207076">CVE-2015-0807 Mozilla: CORS requests should not follow 30x redirections after preflight (MFSA 2015-37)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207084" id="1207084">CVE-2015-0801 Mozilla: Same-origin bypass through anchor navigation (MFSA 2015-40)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207088" id="1207088">CVE-2015-0813 Mozilla: Use-after-free when using the Fluendo MP3 GStreamer plugin (MFSA 2015-31)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:31.6.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150771002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.6.0-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150771008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.6.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150771014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150797" version="601">
<metadata>
<title>RHSA-2015:0797: xorg-x11-server security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0797-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0797.html" source="RHSA"/>
<reference ref_id="CVE-2015-0255" ref_url="https://access.redhat.com/security/cve/CVE-2015-0255" source="CVE"/>
<description>X.Org is an open source implementation of the X Window System. It provides
the basic low-level functionality that full-fledged graphical user
interfaces are designed upon.
A buffer over-read flaw was found in the way the X.Org server handled
XkbGetGeometry requests. A malicious, authorized client could use this flaw
to disclose portions of the X.Org server memory, or cause the X.Org server
to crash using a specially crafted XkbGetGeometry request. (CVE-2015-0255)
This issue was discovered by Olivier Fourdan of Red Hat.
All xorg-x11-server users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-10"/>
<updated date="2015-04-10"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0255">CVE-2015-0255</cve>
<bugzilla href="https://bugzilla.redhat.com/1189062" id="1189062">CVE-2015-0255 xorg-x11-server: information leak in the XkbSetGeometry request of X servers</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xorg-x11-server is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797005"/>
<criterion comment="xorg-x11-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797021"/>
<criterion comment="xorg-x11-server-Xdmx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983010"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797019"/>
<criterion comment="xorg-x11-server-Xephyr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983014"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797011"/>
<criterion comment="xorg-x11-server-Xnest is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797007"/>
<criterion comment="xorg-x11-server-Xorg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983020"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797009"/>
<criterion comment="xorg-x11-server-Xvfb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983018"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-common is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797015"/>
<criterion comment="xorg-x11-server-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-devel is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797017"/>
<criterion comment="xorg-x11-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983022"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-source is earlier than 0:1.15.0-26.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150797013"/>
<criterion comment="xorg-x11-server-source is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xorg-x11-server is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797027"/>
<criterion comment="xorg-x11-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797031"/>
<criterion comment="xorg-x11-server-Xdmx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983010"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797035"/>
<criterion comment="xorg-x11-server-Xephyr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983014"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797028"/>
<criterion comment="xorg-x11-server-Xnest is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797034"/>
<criterion comment="xorg-x11-server-Xorg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983020"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797033"/>
<criterion comment="xorg-x11-server-Xvfb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983018"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-common is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797032"/>
<criterion comment="xorg-x11-server-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983016"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-devel is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797029"/>
<criterion comment="xorg-x11-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983022"/>
</criteria>
<criteria operator="AND">
<criterion comment="xorg-x11-server-source is earlier than 0:1.15.0-33.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150797030"/>
<criterion comment="xorg-x11-server-source is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141983012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150806" version="601">
<metadata>
<title>RHSA-2015:0806: java-1.7.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0806-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0806.html" source="RHSA"/>
<reference ref_id="CVE-2005-1080" ref_url="https://access.redhat.com/security/cve/CVE-2005-1080" source="CVE"/>
<reference ref_id="CVE-2015-0460" ref_url="https://access.redhat.com/security/cve/CVE-2015-0460" source="CVE"/>
<reference ref_id="CVE-2015-0469" ref_url="https://access.redhat.com/security/cve/CVE-2015-0469" source="CVE"/>
<reference ref_id="CVE-2015-0477" ref_url="https://access.redhat.com/security/cve/CVE-2015-0477" source="CVE"/>
<reference ref_id="CVE-2015-0478" ref_url="https://access.redhat.com/security/cve/CVE-2015-0478" source="CVE"/>
<reference ref_id="CVE-2015-0480" ref_url="https://access.redhat.com/security/cve/CVE-2015-0480" source="CVE"/>
<reference ref_id="CVE-2015-0488" ref_url="https://access.redhat.com/security/cve/CVE-2015-0488" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)
A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)
A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)
A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2015-0477)
A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)
It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)
The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-14"/>
<updated date="2015-04-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2005-1080">CVE-2005-1080</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0460">CVE-2015-0460</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0469">CVE-2015-0469</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0477">CVE-2015-0477</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0478">CVE-2015-0478</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0480">CVE-2015-0480</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0488">CVE-2015-0488</cve>
<bugzilla href="https://bugzilla.redhat.com/606442" id="606442">CVE-2005-1080 jar: directory traversal vulnerability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210355" id="1210355">CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210829" id="1210829">CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211285" id="1211285">CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211299" id="1211299">CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211504" id="1211504">CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211543" id="1211543">CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.79-2.5.5.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150806005"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.79-2.5.5.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150806007"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.79-2.5.5.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150806011"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.79-2.5.5.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150806009"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.79-2.5.5.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150806013"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806019"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806025"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806023"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806022"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806020"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806027"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.79-2.5.5.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150806024"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150808" version="601">
<metadata>
<title>RHSA-2015:0808: java-1.6.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0808-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0808.html" source="RHSA"/>
<reference ref_id="CVE-2005-1080" ref_url="https://access.redhat.com/security/cve/CVE-2005-1080" source="CVE"/>
<reference ref_id="CVE-2015-0460" ref_url="https://access.redhat.com/security/cve/CVE-2015-0460" source="CVE"/>
<reference ref_id="CVE-2015-0469" ref_url="https://access.redhat.com/security/cve/CVE-2015-0469" source="CVE"/>
<reference ref_id="CVE-2015-0477" ref_url="https://access.redhat.com/security/cve/CVE-2015-0477" source="CVE"/>
<reference ref_id="CVE-2015-0478" ref_url="https://access.redhat.com/security/cve/CVE-2015-0478" source="CVE"/>
<reference ref_id="CVE-2015-0480" ref_url="https://access.redhat.com/security/cve/CVE-2015-0480" source="CVE"/>
<reference ref_id="CVE-2015-0488" ref_url="https://access.redhat.com/security/cve/CVE-2015-0488" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)
A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)
A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)
A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2015-0477)
A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)
It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)
The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-14"/>
<updated date="2015-04-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2005-1080">CVE-2005-1080</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0460">CVE-2015-0460</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0469">CVE-2015-0469</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0477">CVE-2015-0477</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0478">CVE-2015-0478</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0480">CVE-2015-0480</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0488">CVE-2015-0488</cve>
<bugzilla href="https://bugzilla.redhat.com/606442" id="606442">CVE-2005-1080 jar: directory traversal vulnerability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210355" id="1210355">CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210829" id="1210829">CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211285" id="1211285">CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211299" id="1211299">CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211504" id="1211504">CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211543" id="1211543">CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.35-1.13.7.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150808002"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.35-1.13.7.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150808010"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.35-1.13.7.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150808004"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.35-1.13.7.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150808008"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.35-1.13.7.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150808006"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.35-1.13.7.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150808016"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.35-1.13.7.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150808018"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.35-1.13.7.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150808020"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.35-1.13.7.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150808024"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.35-1.13.7.1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150808022"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.35-1.13.7.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150808030"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.35-1.13.7.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150808031"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.35-1.13.7.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150808033"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.35-1.13.7.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150808032"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.35-1.13.7.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150808034"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150809" version="601">
<metadata>
<title>RHSA-2015:0809: java-1.8.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:0809-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0809.html" source="RHSA"/>
<reference ref_id="CVE-2005-1080" ref_url="https://access.redhat.com/security/cve/CVE-2005-1080" source="CVE"/>
<reference ref_id="CVE-2015-0460" ref_url="https://access.redhat.com/security/cve/CVE-2015-0460" source="CVE"/>
<reference ref_id="CVE-2015-0469" ref_url="https://access.redhat.com/security/cve/CVE-2015-0469" source="CVE"/>
<reference ref_id="CVE-2015-0470" ref_url="https://access.redhat.com/security/cve/CVE-2015-0470" source="CVE"/>
<reference ref_id="CVE-2015-0477" ref_url="https://access.redhat.com/security/cve/CVE-2015-0477" source="CVE"/>
<reference ref_id="CVE-2015-0478" ref_url="https://access.redhat.com/security/cve/CVE-2015-0478" source="CVE"/>
<reference ref_id="CVE-2015-0480" ref_url="https://access.redhat.com/security/cve/CVE-2015-0480" source="CVE"/>
<reference ref_id="CVE-2015-0488" ref_url="https://access.redhat.com/security/cve/CVE-2015-0488" source="CVE"/>
<description>The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)
A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)
A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)
Multiple flaws were discovered in the Beans and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)
A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)
It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)
The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.
All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-14"/>
<updated date="2015-04-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2005-1080">CVE-2005-1080</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0460">CVE-2015-0460</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0469">CVE-2015-0469</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0470">CVE-2015-0470</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0477">CVE-2015-0477</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0478">CVE-2015-0478</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0480">CVE-2015-0480</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0488">CVE-2015-0488</cve>
<bugzilla href="https://bugzilla.redhat.com/606442" id="606442">CVE-2005-1080 jar: directory traversal vulnerability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210355" id="1210355">CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210829" id="1210829">CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211285" id="1211285">CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211299" id="1211299">CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211387" id="1211387">CVE-2015-0470 OpenJDK: incorrect handling of default methods (Hotspot, 8065366)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211504" id="1211504">CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211543" id="1211543">CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.45-28.b13.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150809005"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.45-28.b13.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150809009"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.45-28.b13.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150809007"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.45-28.b13.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150809011"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.45-28.b13.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150809013"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.45-28.b13.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150809015"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809021"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809022"/>
<criterion comment="java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809023"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809025"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809026"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809027"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809024"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.45-30.b13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150809028"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150895" version="601">
<metadata>
<title>RHSA-2015:0895: 389-ds-base security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0895-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0895.html" source="RHSA"/>
<reference ref_id="CVE-2015-1854" ref_url="https://access.redhat.com/security/cve/CVE-2015-1854" source="CVE"/>
<description>The 389 Directory Server is an LDAPv3 compliant server. The base packages
include the Lightweight Directory Access Protocol (LDAP) server and
command-line utilities for server administration.
A flaw was found in the way Red Hat Directory Server performed
authorization of modrdn operations. An unauthenticated attacker able to
issue an ldapmodrdn call to the directory server could use this flaw to
perform unauthorized modifications of entries in the directory server.
(CVE-2015-1854)
This issue was discovered by Simo Sorce of Red Hat.
All 389-ds-base users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue. After installing
this update, the 389 server service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-28"/>
<updated date="2015-04-28"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1854">CVE-2015-1854</cve>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="389-ds-base is earlier than 0:1.3.3.1-16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150895007"/>
<criterion comment="389-ds-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031006"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-devel is earlier than 0:1.3.3.1-16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150895009"/>
<criterion comment="389-ds-base-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031010"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-libs is earlier than 0:1.3.3.1-16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150895005"/>
<criterion comment="389-ds-base-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150980" version="602">
<metadata>
<title>RHSA-2015:0980: pcs security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0980-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0980.html" source="RHSA"/>
<reference ref_id="CVE-2015-1848" ref_url="https://access.redhat.com/security/cve/CVE-2015-1848" source="CVE"/>
<reference ref_id="CVE-2015-3983" ref_url="https://access.redhat.com/security/cve/CVE-2015-3983" source="CVE"/>
<description>The pcs packages provide a command-line tool and a web UI to configure and
manage the Pacemaker and Corosync tools.
It was found that the pcs daemon did not sign cookies containing session
data that were sent to clients connecting via the pcsd web UI. A remote
attacker could use this flaw to forge cookies and bypass authorization
checks, possibly gaining elevated privileges in the pcsd web UI.
(CVE-2015-1848)
This issue was discovered by Tomas Jelinek of Red Hat.
This update also fixes the following bug:
* Previously, the Corosync tool allowed the two_node option and the
auto_tie_breaker option to exist in the corosync.conf file at the same
time. As a consequence, if both options were included, auto_tie_breaker was
silently ignored and the two_node fence race decided which node would
survive in the event of a communication break. With this update, the pcs
daemon has been fixed so that it does not produce corosync.conf files with
both two_node and auto_tie_breaker included. In addition, if both two_node
and auto_tie_breaker are detected in corosync.conf, Corosync issues a
message at start-up and disables two_node mode. As a result,
auto_tie_breaker effectively overrides two_node mode if both options are
specified. (BZ#1205848)
All pcs users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the pcsd daemon will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-12"/>
<updated date="2015-05-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1848">CVE-2015-1848</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3983">CVE-2015-3983</cve>
<bugzilla href="https://bugzilla.redhat.com/1208294" id="1208294">CVE-2015-1848 CVE-2015-3983 pcs: improper web session variable signing</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pcs is earlier than 0:0.9.137-13.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150980005"/>
<criterion comment="pcs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150980006"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-clufter is earlier than 0:0.9.137-13.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150980007"/>
<criterion comment="python-clufter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150980008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150981" version="602">
<metadata>
<title>RHSA-2015:0981: kernel-rt security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0981-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0981.html" source="RHSA"/>
<reference ref_id="CVE-2015-3331" ref_url="https://access.redhat.com/security/cve/CVE-2015-3331" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* A buffer overflow flaw was found in the way the Linux kernel's Intel
AES-NI instructions optimized version of the RFC4106 GCM mode decryption
functionality handled fragmented packets. A remote attacker could use this
flaw to crash, or potentially escalate their privileges on, a system over a
connection with an active AEC-GCM mode IPSec security association.
(CVE-2015-3331, Important)
The kernel-rt packages have been upgraded to version 3.10.0-229.4.1, which
provides a number of bug fixes and enhancements over the previous version,
including:
* Audit subsystem not resolving path name on directory watches
* audit watches do not track correctly after a rename
* auditctl output is changed in RHEL 7
* megaraid_sas: non-booting system with intel_iommu=on kernel parameter
* GFS2: kernel NULL pointer dereference in gfs2_inplace_reserve
* Crypto adapter cannot be brought online - affect all HW
* crypto/seqiv.c: wrong check of return code from crypto_rng_get_bytes
* Backport crypto: sha256_ssse3 - also test for BMI2
* Null pointer at team_handle_frame+0x62/0x100 [team]
* AES CTR x86_64 "by8" AVX optimization
* Intel RDSEED - Fix for entropy counting
* Intel SHA1 multi-buffer crypto implementation
* Intel SHA1 AVX2 optimization support
* mlx4_en: HW timestamp ends up in error queue of socket which does not
have SO_TIMESTAMPING enabled
(BZ#1209963)
This update also fixes the following bugs:
* Prior to this update, heavy lock contention occurred on systems with
greater than 32 cores when large numbers of tasks went idle simultaneously.
Consequently, all the idle CPUs attempted to acquire the run-queue (rq)
lock of a CPU with extra tasks in order to pull those run-able tasks.
This increased scheduler latency due to the lock contention. Instead of
each idle CPU attempting to acquire the run-queue lock, now each idle CPU
will send an IPI to let the overloaded CPU select one core to pull tasks
from it. The result is less spin-lock contention on the rq lock and
produces improved scheduler response time. (BZ#1210924)
* The CONFIG_NO_HZ logic enabled/disabled the timer tick every time a CPU
went into an idle state. This timer tick manipulation caused the system
performance (throughput) to suffer. The CONFIG_NO_HZ configuration setting
is now turned off by default, which increases the throughput due to the
lower idle overhead while allowing system administrators to enable it
selectively in their environment. (BZ#1210597)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-12"/>
<updated date="2015-05-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3331">CVE-2015-3331</cve>
<bugzilla href="https://bugzilla.redhat.com/1209963" id="1209963">kernel-rt: rebase tree to match RHEL7.1.z source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213322" id="1213322">CVE-2015-3331 Kernel: crypto: buffer overruns in RFC4106 implementation using AESNI</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981011"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981015"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981017"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981009"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981007"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981019"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981013"/>
<criterion comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150981021"/>
<criterion comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150983" version="602">
<metadata>
<title>RHSA-2015:0983: tomcat security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0983-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0983.html" source="RHSA"/>
<reference ref_id="CVE-2014-0227" ref_url="https://access.redhat.com/security/cve/CVE-2014-0227" source="CVE"/>
<description>Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was discovered that the ChunkedInputFilter in Tomcat did not fail
subsequent attempts to read input after malformed chunked encoding was
detected. A remote attacker could possibly use this flaw to make Tomcat
process part of the request body as new request, or cause a denial of
service. (CVE-2014-0227)
All Tomcat 7 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, the tomcat service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-12"/>
<updated date="2015-05-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0227">CVE-2014-0227</cve>
<bugzilla href="https://bugzilla.redhat.com/1109196" id="1109196">CVE-2014-0227 Tomcat/JBossWeb: request smuggling andl imited DoS in ChunkedInputFilter</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="tomcat is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983005"/>
<criterion comment="tomcat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686006"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-admin-webapps is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983011"/>
<criterion comment="tomcat-admin-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686016"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-docs-webapp is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983007"/>
<criterion comment="tomcat-docs-webapp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686014"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-el-2.2-api is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983009"/>
<criterion comment="tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686024"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-javadoc is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983015"/>
<criterion comment="tomcat-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686012"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsp-2.2-api is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983017"/>
<criterion comment="tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686018"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-jsvc is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983023"/>
<criterion comment="tomcat-jsvc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686022"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-lib is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983021"/>
<criterion comment="tomcat-lib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686010"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-servlet-3.0-api is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983019"/>
<criterion comment="tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686020"/>
</criteria>
<criteria operator="AND">
<criterion comment="tomcat-webapps is earlier than 0:7.0.54-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150983013"/>
<criterion comment="tomcat-webapps is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140686008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150986" version="602">
<metadata>
<title>RHSA-2015:0986: kexec-tools security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0986-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0986.html" source="RHSA"/>
<reference ref_id="CVE-2015-0267" ref_url="https://access.redhat.com/security/cve/CVE-2015-0267" source="CVE"/>
<description>The kexec-tools packages contain the /sbin/kexec binary and utilities that
together form the user-space component of the kernel's kexec feature.
The /sbin/kexec binary facilitates a new kernel to boot using the kernel's
kexec feature either on a normal or a panic reboot. The kexec fastboot
mechanism allows booting a Linux kernel from the context of an already
running kernel.
It was found that the module-setup.sh script provided by kexec-tools
created temporary files in an insecure way. A malicious, local user could
use this flaw to conduct a symbolic link attack, allowing them to overwrite
the contents of arbitrary files. (CVE-2015-0267)
This issue was discovered by Harald Hoyer of Red Hat.
This update also fixes the following bug:
* On Red Hat Enterprise Linux Atomic Host systems, the kdump tool
previously saved kernel crash dumps in the /sysroot/crash file instead of
the /var/crash file. The parsing error that caused this problem has been
fixed, and the kernel crash dumps are now correctly saved in /var/crash.
(BZ#1206464)
In addition, this update adds the following enhancement:
* The makedumpfile command now supports the new sadump format that can
represent more than 16 TB of physical memory space. This allows users of
makedumpfile to read dump files over 16 TB, generated by sadump on certain
upcoming server models. (BZ#1208753)
All kexec-tools users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add this
enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-12"/>
<updated date="2015-05-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0267">CVE-2015-0267</cve>
<bugzilla href="https://bugzilla.redhat.com/1191575" id="1191575">CVE-2015-0267 kexec-tools: insecure use of /tmp/*$$* filenames</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kexec-tools is earlier than 0:2.0.7-19.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150986009"/>
<criterion comment="kexec-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150986010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kexec-tools-anaconda-addon is earlier than 0:2.0.7-19.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150986005"/>
<criterion comment="kexec-tools-anaconda-addon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150986006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kexec-tools-eppic is earlier than 0:2.0.7-19.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150986007"/>
<criterion comment="kexec-tools-eppic is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150986008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150987" version="601">
<metadata>
<title>RHSA-2015:0987: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0987-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0987.html" source="RHSA"/>
<reference ref_id="CVE-2015-3331" ref_url="https://access.redhat.com/security/cve/CVE-2015-3331" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A buffer overflow flaw was found in the way the Linux kernel's Intel
AES-NI instructions optimized version of the RFC4106 GCM mode decryption
functionality handled fragmented packets. A remote attacker could use this
flaw to crash, or potentially escalate their privileges on, a system over a
connection with an active AEC-GCM mode IPSec security association.
(CVE-2015-3331, Important)
This update also fixes the following bugs:
* Previously, the kernel audit subsystem did not correctly track file path
names which could lead to empty, or "(null)" path names in the PATH audit
records. This update fixes the bug by correctly tracking file path names
and displaying the names in the audit PATH records. (BZ#1197746)
* Due to a change in the internal representation of field types,
AUDIT_LOGINUID set to -1 (4294967295) by the audit API was asymmetrically
converted to an AUDIT_LOGINUID_SET field with a value of 0, unrecognized by
an older audit API. To fix this bug, the kernel takes note about the way
the rule has been formulated and reports the rule in the originally given
form. As a result, older versions of audit provide a report as expected, in
the AUDIT_LOGINUID field type form, whereas the newer versions can migrate
to the new AUDIT_LOGINUID_SET filed type. (BZ#1197748)
* The GFS2 file system "Splice Read" operation, which is used for the
sendfile() function, was not properly allocating a required multi-block
reservation structure in memory. Consequently, when the GFS2 block
allocator was called to assign blocks of data, it attempted to dereference
the structure, which resulted in a kernel panic. With this update, "Splice
read" operation properly allocates the necessary reservation structure in
memory prior to calling the block allocator, and sendfile() thus works
properly for GFS2. (BZ#1201256)
* Moving an Open vSwitch (OVS) internal vport to a different net name space
and subsequently deleting that name space led to a kernel panic. This bug
has been fixed by removing the OVS internal vport at net name space
deletion. (BZ#1202357)
* Previously, the kernel audit subsystem was not correctly handling file
and directory moves, leading to audit records that did not match the audit
file watches. This fix correctly handles moves such that the audit file
watches work correctly. (BZ#1202358)
* Due to a regression, the crypto adapter could not be set online. A patch
has been provided that fixes the device registration process so that the
device can be used also before the registration process is completed, thus
fixing this bug. (BZ#1205300)
* Due to incorrect calculation for entropy during the entropy addition, the
amount of entropy in the /dev/random file could be overestimated.
The formula for the entropy addition has been changed, thus fixing this
bug. (BZ#1211288)
* Previously, the ansi_cprng and drbg utilities did not obey the call
convention and returned the positive value on success instead of the
correct value of zero. Consequently, Internet Protocol Security (IPsec)
terminated unexpectedly when ansi_cprng or drbg were used. With this
update, ansi_cprng and drbg have been changed to return zero on success,
and IPsec now functions correctly. (BZ#1211487)
* Due to a failure to clear the timestamp flag when reusing a tx descriptor
in the mlx4_en driver, programs that did not request a hardware timestamp
packet on their sent data received it anyway, resulting in unexpected
behavior in certain applications. With this update, when reusing the tx
descriptor in the mlx4_en driver in the aforementioned situation, the
hardware timestamp flag is cleared, and applications now behave as
expected. (BZ#1209240)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-12"/>
<updated date="2015-05-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3331">CVE-2015-3331</cve>
<bugzilla href="https://bugzilla.redhat.com/1213322" id="1213322">CVE-2015-3331 Kernel: crypto: buffer overruns in RFC4106 implementation using AESNI</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987021"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987005"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987033"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987017"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987011"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987013"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987007"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987019"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987009"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987015"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987027"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987031"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987029"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987023"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.4.2.el7" test_ref="oval:com.redhat.rhsa:tst:20150987025"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150988" version="603">
<metadata>
<title>RHSA-2015:0988: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:0988-02" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0988.html" source="RHSA"/>
<reference ref_id="CVE-2015-0797" ref_url="https://access.redhat.com/security/cve/CVE-2015-0797" source="CVE"/>
<reference ref_id="CVE-2015-2708" ref_url="https://access.redhat.com/security/cve/CVE-2015-2708" source="CVE"/>
<reference ref_id="CVE-2015-2710" ref_url="https://access.redhat.com/security/cve/CVE-2015-2710" source="CVE"/>
<reference ref_id="CVE-2015-2713" ref_url="https://access.redhat.com/security/cve/CVE-2015-2713" source="CVE"/>
<reference ref_id="CVE-2015-2716" ref_url="https://access.redhat.com/security/cve/CVE-2015-2716" source="CVE"/>
<reference ref_id="CVE-2015-4496" ref_url="https://access.redhat.com/security/cve/CVE-2015-4496" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-2708, CVE-2015-0797, CVE-2015-2710, CVE-2015-2713)
A heap-based buffer overflow flaw was found in the way Firefox processed
compressed XML data. An attacker could create specially crafted compressed
XML content that, when processed by Firefox, could cause it to crash or
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2015-2716)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve
Fink, Aki Helin, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the
original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.0 ESR, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-12"/>
<updated date="2015-05-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0797">CVE-2015-0797</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2708">CVE-2015-2708</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2710">CVE-2015-2710</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2713">CVE-2015-2713</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2716">CVE-2015-2716</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4496">CVE-2015-4496</cve>
<bugzilla href="https://bugzilla.redhat.com/1220597" id="1220597">CVE-2015-2708 Mozilla: Miscellaneous memory safety hazards (rv:31.7) (MFSA 2015-46)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220600" id="1220600">CVE-2015-0797 Mozilla: Buffer overflow parsing H.264 video with Linux Gstreamer (MFSA 2015-47)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220601" id="1220601">CVE-2015-2710 Mozilla: Buffer overflow with SVG content and CSS (MFSA 2015-48)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220605" id="1220605">CVE-2015-2713 Mozilla: Use-after-free during text processing with vertical text enabled (MFSA 2015-51)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220607" id="1220607">CVE-2015-2716 Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.0-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20150988002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.0-4.el6_6" test_ref="oval:com.redhat.rhsa:tst:20150988008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.0-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20150988014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20150999" version="601">
<metadata>
<title>RHSA-2015:0999: qemu-kvm security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:0999-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-0999.html" source="RHSA"/>
<reference ref_id="CVE-2015-3456" ref_url="https://access.redhat.com/security/cve/CVE-2015-3456" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
An out-of-bounds memory access flaw was found in the way QEMU's virtual
Floppy Disk Controller (FDC) handled FIFO buffer access while processing
certain FDC commands. A privileged guest user could use this flaw to crash
the guest or, potentially, execute arbitrary code on the host with the
privileges of the host's QEMU process corresponding to the guest.
(CVE-2015-3456)
Red Hat would like to thank Jason Geffner of CrowdStrike for reporting
this issue.
All qemu-kvm users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-13"/>
<updated date="2015-05-13"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3456">CVE-2015-3456</cve>
<bugzilla href="https://bugzilla.redhat.com/1218611" id="1218611">CVE-2015-3456 qemu: fdc: out-of-bounds fifo buffer memory access</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999009"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999007"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999005"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999011"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999013"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999015"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20150999017"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151012" version="602">
<metadata>
<title>RHSA-2015:1012: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1012-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1012.html" source="RHSA"/>
<reference ref_id="CVE-2015-2708" ref_url="https://access.redhat.com/security/cve/CVE-2015-2708" source="CVE"/>
<reference ref_id="CVE-2015-2710" ref_url="https://access.redhat.com/security/cve/CVE-2015-2710" source="CVE"/>
<reference ref_id="CVE-2015-2713" ref_url="https://access.redhat.com/security/cve/CVE-2015-2713" source="CVE"/>
<reference ref_id="CVE-2015-2716" ref_url="https://access.redhat.com/security/cve/CVE-2015-2716" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713)
A heap-based buffer overflow flaw was found in the way Thunderbird
processed compressed XML data. An attacker could create specially crafted
compressed XML content that, when processed by Thunderbird, could cause it
to crash or execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-2716)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jesse Ruderman, Mats Palmgren, Byron Campen, Steve
Fink, Atte Kettunen, Scott Bell, and Ucha Gobejishvili as the original
reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 31.7. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 31.7, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-18"/>
<updated date="2015-05-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2708">CVE-2015-2708</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2710">CVE-2015-2710</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2713">CVE-2015-2713</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2716">CVE-2015-2716</cve>
<bugzilla href="https://bugzilla.redhat.com/1220597" id="1220597">CVE-2015-2708 Mozilla: Miscellaneous memory safety hazards (rv:31.7) (MFSA 2015-46)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220601" id="1220601">CVE-2015-2710 Mozilla: Buffer overflow with SVG content and CSS (MFSA 2015-48)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220605" id="1220605">CVE-2015-2713 Mozilla: Use-after-free during text processing with vertical text enabled (MFSA 2015-51)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1220607" id="1220607">CVE-2015-2716 Mozilla: Buffer overflow when parsing compressed XML (MFSA 2015-54)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:31.7.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151012002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.7.0-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151012008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.7.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151012014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151072" version="601">
<metadata>
<title>RHSA-2015:1072: openssl security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1072-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1072.html" source="RHSA"/>
<reference ref_id="CVE-2015-4000" ref_url="https://access.redhat.com/security/cve/CVE-2015-4000" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
A flaw was found in the way the TLS protocol composes the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in OpenSSL to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Future updates may raise this limit to
1024 bits.
All openssl users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-04"/>
<updated date="2015-06-04"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4000">CVE-2015-4000</cve>
<bugzilla href="https://bugzilla.redhat.com/1223211" id="1223211">CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-30.el6_6.9" test_ref="oval:com.redhat.rhsa:tst:20151072009"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.9" test_ref="oval:com.redhat.rhsa:tst:20151072011"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.9" test_ref="oval:com.redhat.rhsa:tst:20151072007"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.9" test_ref="oval:com.redhat.rhsa:tst:20151072005"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-42.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151072021"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-42.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151072022"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-42.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151072019"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-42.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151072017"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-42.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151072018"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151083" version="601">
<metadata>
<title>RHSA-2015:1083: abrt security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1083-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1083.html" source="RHSA"/>
<reference ref_id="CVE-2015-1869" ref_url="https://access.redhat.com/security/cve/CVE-2015-1869" source="CVE"/>
<reference ref_id="CVE-2015-1870" ref_url="https://access.redhat.com/security/cve/CVE-2015-1870" source="CVE"/>
<reference ref_id="CVE-2015-3142" ref_url="https://access.redhat.com/security/cve/CVE-2015-3142" source="CVE"/>
<reference ref_id="CVE-2015-3147" ref_url="https://access.redhat.com/security/cve/CVE-2015-3147" source="CVE"/>
<reference ref_id="CVE-2015-3150" ref_url="https://access.redhat.com/security/cve/CVE-2015-3150" source="CVE"/>
<reference ref_id="CVE-2015-3151" ref_url="https://access.redhat.com/security/cve/CVE-2015-3151" source="CVE"/>
<reference ref_id="CVE-2015-3159" ref_url="https://access.redhat.com/security/cve/CVE-2015-3159" source="CVE"/>
<reference ref_id="CVE-2015-3315" ref_url="https://access.redhat.com/security/cve/CVE-2015-3315" source="CVE"/>
<description>ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality.
It was found that ABRT was vulnerable to multiple race condition and
symbolic link flaws. A local attacker could use these flaws to potentially
escalate their privileges on the system. (CVE-2015-3315)
It was discovered that the kernel-invoked coredump processor provided by
ABRT wrote core dumps to files owned by other system users. This could
result in information disclosure if an application crashed while its
current directory was a directory writable to by other users (such as
/tmp). (CVE-2015-3142)
It was discovered that the default event handling scripts installed by ABRT
did not handle symbolic links correctly. A local attacker with write access
to an ABRT problem directory could use this flaw to escalate their
privileges. (CVE-2015-1869)
It was found that the ABRT event scripts created a user-readable copy of an
sosreport file in ABRT problem directories, and included excerpts of
/var/log/messages selected by the user-controlled process name, leading to
an information disclosure. (CVE-2015-1870)
It was discovered that, when moving problem reports between certain
directories, abrt-handle-upload did not verify that the new problem
directory had appropriate permissions and did not contain symbolic links.
An attacker able to create a crafted problem report could use this flaw to
expose other parts of ABRT to attack, or to overwrite arbitrary files on
the system. (CVE-2015-3147)
Multiple directory traversal flaws were found in the abrt-dbus D-Bus
service. A local attacker could use these flaws to read and write arbitrary
files as the root user. (CVE-2015-3151)
It was discovered that the abrt-dbus D-Bus service did not properly check
the validity of the problem directory argument in the ChownProblemDir,
DeleteElement, and DeleteProblem methods. A local attacker could use this
flaw to take ownership of arbitrary files and directories, or to delete
files and directories as the root user. (CVE-2015-3150)
It was discovered that the abrt-action-install-debuginfo-to-abrt-cache
helper program did not properly filter the process environment before
invoking abrt-action-install-debuginfo. A local attacker could use this
flaw to escalate their privileges on the system. (CVE-2015-3159)
All users of abrt are advised to upgrade to these updated packages, which
correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-09"/>
<updated date="2015-06-09"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1869">CVE-2015-1869</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1870">CVE-2015-1870</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3142">CVE-2015-3142</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3147">CVE-2015-3147</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3150">CVE-2015-3150</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3151">CVE-2015-3151</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3159">CVE-2015-3159</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3315">CVE-2015-3315</cve>
<bugzilla href="https://bugzilla.redhat.com/1211835" id="1211835">CVE-2015-3315 abrt: Various race-conditions and symlink issues found in abrt</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212818" id="1212818">CVE-2015-3142 abrt: abrt-hook-ccpp writes core dumps to existing files owned by others</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212861" id="1212861">CVE-2015-1869 abrt: default event scripts follow symbolic links</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212868" id="1212868">CVE-2015-1870 abrt: default abrt event scripts lead to information disclosure</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212953" id="1212953">CVE-2015-3147 abrt: does not validate contents of uploaded problem reports</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214451" id="1214451">CVE-2015-3151 abrt: directory traversals in several D-Bus methods implemented by abrt-dbus</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214457" id="1214457">CVE-2015-3150 abrt: abrt-dbus does not guard against crafted problem directory path arguments</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1216962" id="1216962">CVE-2015-3159 abrt: missing process environment sanitizaton in abrt-action-install-debuginfo-to-abrt-cache</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218610" id="1218610">libreport: races in dump directory handling code [rhel-7.1.z]</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="abrt is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083025"/>
<criterion comment="abrt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083026"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-ccpp is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083041"/>
<criterion comment="abrt-addon-ccpp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083042"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-kerneloops is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083005"/>
<criterion comment="abrt-addon-kerneloops is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083006"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-pstoreoops is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083021"/>
<criterion comment="abrt-addon-pstoreoops is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083022"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-python is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083029"/>
<criterion comment="abrt-addon-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083030"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-upload-watch is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083043"/>
<criterion comment="abrt-addon-upload-watch is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083044"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-vmcore is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083017"/>
<criterion comment="abrt-addon-vmcore is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083018"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-xorg is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083015"/>
<criterion comment="abrt-addon-xorg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083016"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-cli is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083031"/>
<criterion comment="abrt-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083032"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-console-notification is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083011"/>
<criterion comment="abrt-console-notification is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083012"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-dbus is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083037"/>
<criterion comment="abrt-dbus is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083038"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-desktop is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083023"/>
<criterion comment="abrt-desktop is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083024"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-devel is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083009"/>
<criterion comment="abrt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083010"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-gui is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083019"/>
<criterion comment="abrt-gui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083020"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-gui-devel is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083013"/>
<criterion comment="abrt-gui-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083014"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-gui-libs is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083027"/>
<criterion comment="abrt-gui-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083028"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-libs is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083007"/>
<criterion comment="abrt-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083008"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-python is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083033"/>
<criterion comment="abrt-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083034"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-python-doc is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083045"/>
<criterion comment="abrt-python-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083046"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-retrace-client is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083035"/>
<criterion comment="abrt-retrace-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083036"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-tui is earlier than 0:2.1.11-22.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083039"/>
<criterion comment="abrt-tui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083067"/>
<criterion comment="libreport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083068"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-anaconda is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083087"/>
<criterion comment="libreport-anaconda is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083088"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-cli is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083073"/>
<criterion comment="libreport-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083074"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-compat is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083085"/>
<criterion comment="libreport-compat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083086"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-devel is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083057"/>
<criterion comment="libreport-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083058"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-filesystem is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083071"/>
<criterion comment="libreport-filesystem is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083072"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-gtk is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083053"/>
<criterion comment="libreport-gtk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083054"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-gtk-devel is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083075"/>
<criterion comment="libreport-gtk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083076"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-newt is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083065"/>
<criterion comment="libreport-newt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083066"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-bugzilla is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083069"/>
<criterion comment="libreport-plugin-bugzilla is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083070"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-kerneloops is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083077"/>
<criterion comment="libreport-plugin-kerneloops is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083078"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-logger is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083055"/>
<criterion comment="libreport-plugin-logger is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083056"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-mailx is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083059"/>
<criterion comment="libreport-plugin-mailx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083060"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-reportuploader is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083061"/>
<criterion comment="libreport-plugin-reportuploader is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083062"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-rhtsupport is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083079"/>
<criterion comment="libreport-plugin-rhtsupport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083080"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-ureport is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083047"/>
<criterion comment="libreport-plugin-ureport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083048"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-python is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083063"/>
<criterion comment="libreport-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083064"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-rhel is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083089"/>
<criterion comment="libreport-rhel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083090"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-rhel-anaconda-bugzilla is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083049"/>
<criterion comment="libreport-rhel-anaconda-bugzilla is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083050"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-rhel-bugzilla is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083051"/>
<criterion comment="libreport-rhel-bugzilla is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083052"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-web is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083081"/>
<criterion comment="libreport-web is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083082"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-web-devel is earlier than 0:2.1.11-23.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151083083"/>
<criterion comment="libreport-web-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083084"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151090" version="601">
<metadata>
<title>RHSA-2015:1090: wpa_supplicant security and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1090-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1090.html" source="RHSA"/>
<reference ref_id="CVE-2015-1863" ref_url="https://access.redhat.com/security/cve/CVE-2015-1863" source="CVE"/>
<reference ref_id="CVE-2015-4142" ref_url="https://access.redhat.com/security/cve/CVE-2015-4142" source="CVE"/>
<description>The wpa_supplicant package contains an 802.1X Supplicant with support for
WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication
methods. It implements key negotiation with a WPA Authenticator for client
stations and controls the roaming and IEEE 802.11 authentication and
association of the WLAN driver.
A buffer overflow flaw was found in the way wpa_supplicant handled SSID
information in the Wi-Fi Direct / P2P management frames. A specially
crafted frame could allow an attacker within Wi-Fi radio range to cause
wpa_supplicant to crash or, possibly, execute arbitrary code.
(CVE-2015-1863)
An integer underflow flaw, leading to a buffer over-read, was found in the
way wpa_supplicant handled WMM Action frames. A specially crafted frame
could possibly allow an attacker within Wi-Fi radio range to cause
wpa_supplicant to crash. (CVE-2015-4142)
Red Hat would like to thank Jouni Malinen of the wpa_supplicant upstream
for reporting the CVE-2015-1863 issue. Upstream acknowledges Alibaba
security team as the original reporter.
This update also adds the following enhancement:
* Prior to this update, wpa_supplicant did not provide a way to require the
host name to be listed in an X.509 certificate's Common Name or Subject
Alternative Name, and only allowed host name suffix or subject substring
checks. This update introduces a new configuration directive,
'domain_match', which adds a full host name check. (BZ#1178263)
All wpa_supplicant users are advised to upgrade to this updated package,
which contains backported patches to correct these issues and add this
enhancement. After installing this update, the wpa_supplicant service will
be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-11"/>
<updated date="2015-06-11"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1863">CVE-2015-1863</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4142">CVE-2015-4142</cve>
<bugzilla href="https://bugzilla.redhat.com/1178263" id="1178263">wpa_supplicant: add support for non-substring server identity check [rhel-7]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211191" id="1211191">CVE-2015-1863 wpa_supplicant: P2P SSID processing vulnerability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1221178" id="1221178">CVE-2015-4142 wpa_supplicant and hostapd: integer underflow in AP mode WMM Action frame processing</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="wpa_supplicant is earlier than 1:2.0-17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151090005"/>
<criterion comment="wpa_supplicant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141956006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151115" version="601">
<metadata>
<title>RHSA-2015:1115: openssl security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1115-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1115.html" source="RHSA"/>
<reference ref_id="CVE-2014-8176" ref_url="https://access.redhat.com/security/cve/CVE-2014-8176" source="CVE"/>
<reference ref_id="CVE-2015-1789" ref_url="https://access.redhat.com/security/cve/CVE-2015-1789" source="CVE"/>
<reference ref_id="CVE-2015-1790" ref_url="https://access.redhat.com/security/cve/CVE-2015-1790" source="CVE"/>
<reference ref_id="CVE-2015-1791" ref_url="https://access.redhat.com/security/cve/CVE-2015-1791" source="CVE"/>
<reference ref_id="CVE-2015-1792" ref_url="https://access.redhat.com/security/cve/CVE-2015-1792" source="CVE"/>
<reference ref_id="CVE-2015-3216" ref_url="https://access.redhat.com/security/cve/CVE-2015-3216" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
An invalid free flaw was found in the way OpenSSL handled certain DTLS
handshake messages. A malicious DTLS client or server could cause a DTLS
server or client using OpenSSL to crash or, potentially, execute arbitrary
code. (CVE-2014-8176)
A flaw was found in the way the OpenSSL packages shipped with Red Hat
Enterprise Linux 6 and 7 performed locking in the ssleay_rand_bytes()
function. This issue could possibly cause a multi-threaded application
using OpenSSL to perform an out-of-bounds read and crash. (CVE-2015-3216)
An out-of-bounds read flaw was found in the X509_cmp_time() function of
OpenSSL. A specially crafted X.509 certificate or a Certificate Revocation
List (CRL) could possibly cause a TLS/SSL server or client using OpenSSL
to crash. (CVE-2015-1789)
A race condition was found in the session handling code of OpenSSL. This
issue could possibly cause a multi-threaded TLS/SSL client using OpenSSL
to double free session ticket data and crash. (CVE-2015-1791)
A flaw was found in the way OpenSSL handled Cryptographic Message Syntax
(CMS) messages. A CMS message with an unknown hash function identifier
could cause an application using OpenSSL to enter an infinite loop.
(CVE-2015-1792)
A NULL pointer dereference was found in the way OpenSSL handled certain
PKCS#7 inputs. A specially crafted PKCS#7 input with missing
EncryptedContent data could cause an application using OpenSSL to crash.
(CVE-2015-1790)
Red Hat would like to thank the OpenSSL project for reporting
CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 and
CVE-2015-1792 flaws. Upstream acknowledges Praveen Kariyanahalli and Ivan
Fratric as the original reporters of CVE-2014-8176, Robert Swiecki and
Hanno Böck as the original reporters of CVE-2015-1789, Michal Zalewski as
the original reporter of CVE-2015-1790, Emilia Käsper as the original
report of CVE-2015-1791 and Johannes Bauer as the original reporter of
CVE-2015-1792.
All openssl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-15"/>
<updated date="2015-06-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8176">CVE-2014-8176</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1789">CVE-2015-1789</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1790">CVE-2015-1790</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1791">CVE-2015-1791</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1792">CVE-2015-1792</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3216">CVE-2015-3216</cve>
<bugzilla href="https://bugzilla.redhat.com/1227574" id="1227574">CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1228603" id="1228603">CVE-2015-1789 OpenSSL: out-of-bounds read in X509_cmp_time</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1228604" id="1228604">CVE-2015-1790 OpenSSL: PKCS7 crash with missing EnvelopedContent</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1228607" id="1228607">CVE-2015-1792 OpenSSL: CMS verify infinite loop with unknown hash function</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1228608" id="1228608">CVE-2015-1791 OpenSSL: Race condition handling NewSessionTicket</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1228611" id="1228611">CVE-2014-8176 OpenSSL: Invalid free in DTLS</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-30.el6_6.11" test_ref="oval:com.redhat.rhsa:tst:20151115011"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.11" test_ref="oval:com.redhat.rhsa:tst:20151115009"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.11" test_ref="oval:com.redhat.rhsa:tst:20151115005"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.11" test_ref="oval:com.redhat.rhsa:tst:20151115007"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-42.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151115018"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-42.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151115017"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-42.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151115019"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-42.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151115021"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-42.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151115022"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151123" version="601">
<metadata>
<title>RHSA-2015:1123: cups security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1123-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1123.html" source="RHSA"/>
<reference ref_id="CVE-2014-9679" ref_url="https://access.redhat.com/security/cve/CVE-2014-9679" source="CVE"/>
<reference ref_id="CVE-2015-1158" ref_url="https://access.redhat.com/security/cve/CVE-2015-1158" source="CVE"/>
<reference ref_id="CVE-2015-1159" ref_url="https://access.redhat.com/security/cve/CVE-2015-1159" source="CVE"/>
<description>CUPS provides a portable printing layer for Linux, UNIX, and similar
operating systems.
A string reference count bug was found in cupsd, causing premature freeing
of string objects. An attacker can submit a malicious print job that
exploits this flaw to dismantle ACLs protecting privileged operations,
allowing a replacement configuration file to be uploaded which in turn
allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)
A cross-site scripting flaw was found in the cups web templating engine. An
attacker could use this flaw to bypass the default configuration settings
that bind the CUPS scheduler to the 'localhost' or loopback interface.
(CVE-2015-1159)
An integer overflow leading to a heap-based buffer overflow was found in
the way cups handled compressed raster image files. An attacker could
create a specially-crafted image file, which when passed via the cups
Raster filter, could cause the cups filter to crash. (CVE-2014-9679)
Red Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and
CVE-2015-1159 issues.
All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the cupsd daemon will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-17"/>
<updated date="2015-06-17"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9679">CVE-2014-9679</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1158">CVE-2015-1158</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1159">CVE-2015-1159</cve>
<bugzilla href="https://bugzilla.redhat.com/1191588" id="1191588">CVE-2014-9679 cups: cupsRasterReadPixels buffer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1221641" id="1221641">CVE-2015-1158 cups: incorrect string reference counting (VU#810572)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1221642" id="1221642">CVE-2015-1159 cups: cross-site scripting flaw in CUPS web UI (VU#810572)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="cups is earlier than 1:1.4.2-67.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20151123009"/>
<criterion comment="cups is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123010"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-devel is earlier than 1:1.4.2-67.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20151123007"/>
<criterion comment="cups-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123008"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-libs is earlier than 1:1.4.2-67.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20151123005"/>
<criterion comment="cups-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123006"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-lpd is earlier than 1:1.4.2-67.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20151123013"/>
<criterion comment="cups-lpd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123014"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-php is earlier than 1:1.4.2-67.el6_6.1" test_ref="oval:com.redhat.rhsa:tst:20151123011"/>
<criterion comment="cups-php is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="cups is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123020"/>
<criterion comment="cups is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123010"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-client is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123024"/>
<criterion comment="cups-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123025"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-devel is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123019"/>
<criterion comment="cups-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123008"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-filesystem is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123027"/>
<criterion comment="cups-filesystem is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123028"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-ipptool is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123021"/>
<criterion comment="cups-ipptool is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123022"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-libs is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123023"/>
<criterion comment="cups-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123006"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-lpd is earlier than 1:1.6.3-17.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151123026"/>
<criterion comment="cups-lpd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151123014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151135" version="602">
<metadata>
<title>RHSA-2015:1135: php security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1135-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1135.html" source="RHSA"/>
<reference ref_id="CVE-2014-8142" ref_url="https://access.redhat.com/security/cve/CVE-2014-8142" source="CVE"/>
<reference ref_id="CVE-2014-9652" ref_url="https://access.redhat.com/security/cve/CVE-2014-9652" source="CVE"/>
<reference ref_id="CVE-2014-9705" ref_url="https://access.redhat.com/security/cve/CVE-2014-9705" source="CVE"/>
<reference ref_id="CVE-2014-9709" ref_url="https://access.redhat.com/security/cve/CVE-2014-9709" source="CVE"/>
<reference ref_id="CVE-2015-0231" ref_url="https://access.redhat.com/security/cve/CVE-2015-0231" source="CVE"/>
<reference ref_id="CVE-2015-0232" ref_url="https://access.redhat.com/security/cve/CVE-2015-0232" source="CVE"/>
<reference ref_id="CVE-2015-0273" ref_url="https://access.redhat.com/security/cve/CVE-2015-0273" source="CVE"/>
<reference ref_id="CVE-2015-2301" ref_url="https://access.redhat.com/security/cve/CVE-2015-2301" source="CVE"/>
<reference ref_id="CVE-2015-2348" ref_url="https://access.redhat.com/security/cve/CVE-2015-2348" source="CVE"/>
<reference ref_id="CVE-2015-2783" ref_url="https://access.redhat.com/security/cve/CVE-2015-2783" source="CVE"/>
<reference ref_id="CVE-2015-2787" ref_url="https://access.redhat.com/security/cve/CVE-2015-2787" source="CVE"/>
<reference ref_id="CVE-2015-3307" ref_url="https://access.redhat.com/security/cve/CVE-2015-3307" source="CVE"/>
<reference ref_id="CVE-2015-3329" ref_url="https://access.redhat.com/security/cve/CVE-2015-3329" source="CVE"/>
<reference ref_id="CVE-2015-3330" ref_url="https://access.redhat.com/security/cve/CVE-2015-3330" source="CVE"/>
<reference ref_id="CVE-2015-3411" ref_url="https://access.redhat.com/security/cve/CVE-2015-3411" source="CVE"/>
<reference ref_id="CVE-2015-3412" ref_url="https://access.redhat.com/security/cve/CVE-2015-3412" source="CVE"/>
<reference ref_id="CVE-2015-4021" ref_url="https://access.redhat.com/security/cve/CVE-2015-4021" source="CVE"/>
<reference ref_id="CVE-2015-4022" ref_url="https://access.redhat.com/security/cve/CVE-2015-4022" source="CVE"/>
<reference ref_id="CVE-2015-4024" ref_url="https://access.redhat.com/security/cve/CVE-2015-4024" source="CVE"/>
<reference ref_id="CVE-2015-4025" ref_url="https://access.redhat.com/security/cve/CVE-2015-4025" source="CVE"/>
<reference ref_id="CVE-2015-4026" ref_url="https://access.redhat.com/security/cve/CVE-2015-4026" source="CVE"/>
<reference ref_id="CVE-2015-4147" ref_url="https://access.redhat.com/security/cve/CVE-2015-4147" source="CVE"/>
<reference ref_id="CVE-2015-4148" ref_url="https://access.redhat.com/security/cve/CVE-2015-4148" source="CVE"/>
<reference ref_id="CVE-2015-4598" ref_url="https://access.redhat.com/security/cve/CVE-2015-4598" source="CVE"/>
<reference ref_id="CVE-2015-4599" ref_url="https://access.redhat.com/security/cve/CVE-2015-4599" source="CVE"/>
<reference ref_id="CVE-2015-4600" ref_url="https://access.redhat.com/security/cve/CVE-2015-4600" source="CVE"/>
<reference ref_id="CVE-2015-4601" ref_url="https://access.redhat.com/security/cve/CVE-2015-4601" source="CVE"/>
<reference ref_id="CVE-2015-4602" ref_url="https://access.redhat.com/security/cve/CVE-2015-4602" source="CVE"/>
<reference ref_id="CVE-2015-4603" ref_url="https://access.redhat.com/security/cve/CVE-2015-4603" source="CVE"/>
<reference ref_id="CVE-2015-4604" ref_url="https://access.redhat.com/security/cve/CVE-2015-4604" source="CVE"/>
<reference ref_id="CVE-2015-4605" ref_url="https://access.redhat.com/security/cve/CVE-2015-4605" source="CVE"/>
<reference ref_id="CVE-2015-4643" ref_url="https://access.redhat.com/security/cve/CVE-2015-4643" source="CVE"/>
<description>PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.
A flaw was found in the way the PHP module for the Apache httpd web server
handled pipelined requests. A remote attacker could use this flaw to
trigger the execution of a PHP script in a deinitialized interpreter,
causing it to crash or, possibly, execute arbitrary code. (CVE-2015-3330)
A flaw was found in the way PHP parsed multipart HTTP POST requests. A
specially crafted request could cause PHP to use an excessive amount of CPU
time. (CVE-2015-4024)
An uninitialized pointer use flaw was found in PHP's Exif extension. A
specially crafted JPEG or TIFF file could cause a PHP application using the
exif_read_data() function to crash or, possibly, execute arbitrary code
with the privileges of the user running that PHP application.
(CVE-2015-0232)
An integer overflow flaw leading to a heap-based buffer overflow was found
in the way PHP's FTP extension parsed file listing FTP server responses. A
malicious FTP server could use this flaw to cause a PHP application to
crash or, possibly, execute arbitrary code. (CVE-2015-4022)
Multiple flaws were discovered in the way PHP performed object
unserialization. Specially crafted input processed by the unserialize()
function could cause a PHP application to crash or, possibly, execute
arbitrary code. (CVE-2014-8142, CVE-2015-0231, CVE-2015-0273,
CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600,
CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)
It was found that certain PHP functions did not properly handle file names
containing a NULL character. A remote attacker could possibly use this flaw
to make a PHP script access unexpected files and bypass intended file
system access restrictions. (CVE-2015-2348, CVE-2015-4025, CVE-2015-4026,
CVE-2015-3411, CVE-2015-3412, CVE-2015-4598)
Multiple flaws were found in the way the way PHP's Phar extension parsed
Phar archives. A specially crafted archive could cause PHP to crash or,
possibly, execute arbitrary code when opened. (CVE-2015-2301,
CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021)
Multiple flaws were found in PHP's File Information (fileinfo) extension.
A remote attacker could cause a PHP application to crash if it used
fileinfo to identify type of attacker supplied files. (CVE-2014-9652,
CVE-2015-4604, CVE-2015-4605)
A heap buffer overflow flaw was found in the enchant_broker_request_dict()
function of PHP's enchant extension. An attacker able to make a PHP
application enchant dictionaries could possibly cause it to crash.
(CVE-2014-9705)
A buffer over-read flaw was found in the GD library used by the PHP gd
extension. A specially crafted GIF file could cause a PHP application using
the imagecreatefromgif() function to crash. (CVE-2014-9709)
This update also fixes the following bugs:
* The libgmp library in some cases terminated unexpectedly with a
segmentation fault when being used with other libraries that use the GMP
memory management. With this update, PHP no longer changes libgmp memory
allocators, which prevents the described crash from occurring. (BZ#1212305)
* When using the Open Database Connectivity (ODBC) API, the PHP process
in some cases terminated unexpectedly with a segmentation fault. The
underlying code has been adjusted to prevent this crash. (BZ#1212299)
* Previously, running PHP on a big-endian system sometimes led to memory
corruption in the fileinfo module. This update adjusts the behavior of
the PHP pointer so that it can be freed without causing memory corruption.
(BZ#1212298)
All php users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-23"/>
<updated date="2015-06-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8142">CVE-2014-8142</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9652">CVE-2014-9652</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9705">CVE-2014-9705</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9709">CVE-2014-9709</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0231">CVE-2015-0231</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0232">CVE-2015-0232</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0273">CVE-2015-0273</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2301">CVE-2015-2301</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2348">CVE-2015-2348</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2783">CVE-2015-2783</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2787">CVE-2015-2787</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3307">CVE-2015-3307</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3329">CVE-2015-3329</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3330">CVE-2015-3330</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3411">CVE-2015-3411</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3412">CVE-2015-3412</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4021">CVE-2015-4021</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4022">CVE-2015-4022</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4024">CVE-2015-4024</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4025">CVE-2015-4025</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4026">CVE-2015-4026</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4147">CVE-2015-4147</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4148">CVE-2015-4148</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4598">CVE-2015-4598</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4599">CVE-2015-4599</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4600">CVE-2015-4600</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4601">CVE-2015-4601</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4602">CVE-2015-4602</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4603">CVE-2015-4603</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4604">CVE-2015-4604</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4605">CVE-2015-4605</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4643">CVE-2015-4643</cve>
<bugzilla href="https://bugzilla.redhat.com/1175718" id="1175718">CVE-2014-8142 php: use after free vulnerability in unserialize()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185397" id="1185397">CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185472" id="1185472">CVE-2015-0232 php: Free called on unitialized pointer in exif.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188599" id="1188599">CVE-2014-9652 file: out of bounds read in mconvert()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188639" id="1188639">CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1194730" id="1194730">CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1194737" id="1194737">CVE-2014-9705 php: heap buffer overflow in enchant_broker_request_dict()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1194747" id="1194747">CVE-2015-2301 php: use after free in phar_object.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1204868" id="1204868">CVE-2015-4147 php: SoapClient's __call() type confusion through unserialize()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207676" id="1207676">CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207682" id="1207682">CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213394" id="1213394">CVE-2015-3330 php: pipelined request executed in deinitialized interpreter under httpd 2.4</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213407" id="1213407">CVE-2015-3411 php: missing null byte checks for paths in various PHP extensions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213442" id="1213442">CVE-2015-4604 CVE-2015-4605 php: denial of service when processing a crafted file with Fileinfo</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213446" id="1213446">CVE-2015-2783 php: buffer over-read in Phar metadata parsing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213449" id="1213449">CVE-2015-3329 php: buffer overflow in phar_set_inode()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222485" id="1222485">CVE-2015-4024 php: multipart/form-data request parsing CPU usage DoS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222538" id="1222538">CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unserialize() with various SOAP methods</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223408" id="1223408">CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223412" id="1223412">CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223422" id="1223422">CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223425" id="1223425">CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223441" id="1223441">CVE-2015-3307 php: invalid pointer free() in phar_tar_process_metadata()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1226916" id="1226916">CVE-2015-4148 php: SoapClient's do_soap_call() type confusion after unserialize()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1232823" id="1232823">CVE-2015-3412 php: missing null byte checks for paths in various PHP extensions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1232897" id="1232897">CVE-2015-4598 php: missing null byte checks for paths in DOM and GD extensions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1232918" id="1232918">CVE-2015-4603 php: exception::getTraceAsString type confusion issue after unserialize</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1232923" id="1232923">CVE-2015-4602 php: Incomplete Class unserialization type confusion</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="php is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135009"/>
<criterion comment="php is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013006"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-bcmath is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135043"/>
<criterion comment="php-bcmath is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013010"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-cli is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135039"/>
<criterion comment="php-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013040"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-common is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135021"/>
<criterion comment="php-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013022"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-dba is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135041"/>
<criterion comment="php-dba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013046"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-devel is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135017"/>
<criterion comment="php-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013044"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-embedded is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135031"/>
<criterion comment="php-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013032"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-enchant is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135007"/>
<criterion comment="php-enchant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013052"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-fpm is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135035"/>
<criterion comment="php-fpm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013054"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-gd is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135033"/>
<criterion comment="php-gd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013024"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-intl is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135027"/>
<criterion comment="php-intl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013012"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-ldap is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135029"/>
<criterion comment="php-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013016"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mbstring is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135013"/>
<criterion comment="php-mbstring is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013048"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysql is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135047"/>
<criterion comment="php-mysql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013050"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-mysqlnd is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135049"/>
<criterion comment="php-mysqlnd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013028"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-odbc is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135015"/>
<criterion comment="php-odbc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013026"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pdo is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135011"/>
<criterion comment="php-pdo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013008"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pgsql is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135005"/>
<criterion comment="php-pgsql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013018"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-process is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135019"/>
<criterion comment="php-process is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013030"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-pspell is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135037"/>
<criterion comment="php-pspell is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013042"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-recode is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135025"/>
<criterion comment="php-recode is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013034"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-snmp is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135045"/>
<criterion comment="php-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013036"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-soap is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135053"/>
<criterion comment="php-soap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013014"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xml is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135023"/>
<criterion comment="php-xml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013020"/>
</criteria>
<criteria operator="AND">
<criterion comment="php-xmlrpc is earlier than 0:5.4.16-36.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151135051"/>
<criterion comment="php-xmlrpc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141013038"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151137" version="602">
<metadata>
<title>RHSA-2015:1137: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1137-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1137.html" source="RHSA"/>
<reference ref_id="CVE-2014-9420" ref_url="https://access.redhat.com/security/cve/CVE-2014-9420" source="CVE"/>
<reference ref_id="CVE-2014-9529" ref_url="https://access.redhat.com/security/cve/CVE-2014-9529" source="CVE"/>
<reference ref_id="CVE-2014-9584" ref_url="https://access.redhat.com/security/cve/CVE-2014-9584" source="CVE"/>
<reference ref_id="CVE-2015-1573" ref_url="https://access.redhat.com/security/cve/CVE-2015-1573" source="CVE"/>
<reference ref_id="CVE-2015-1593" ref_url="https://access.redhat.com/security/cve/CVE-2015-1593" source="CVE"/>
<reference ref_id="CVE-2015-1805" ref_url="https://access.redhat.com/security/cve/CVE-2015-1805" source="CVE"/>
<reference ref_id="CVE-2015-2830" ref_url="https://access.redhat.com/security/cve/CVE-2015-2830" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's implementation of vectored pipe read
and write functionality did not take into account the I/O vectors that were
already processed when retrying after a failed atomic access operation,
potentially resulting in memory corruption due to an I/O vector array
overrun. A local, unprivileged user could use this flaw to crash the system
or, potentially, escalate their privileges on the system. (CVE-2015-1805,
Important)
* A race condition flaw was found in the way the Linux kernel keys
management subsystem performed key garbage collection. A local attacker
could attempt accessing a key while it was being garbage collected, which
would cause the system to crash. (CVE-2014-9529, Moderate)
* A flaw was found in the way the Linux kernel's 32-bit emulation
implementation handled forking or closing of a task with an 'int80' entry.
A local user could potentially use this flaw to escalate their privileges
on the system. (CVE-2015-2830, Low)
* It was found that the Linux kernel's ISO file system implementation did
not correctly limit the traversal of Rock Ridge extension Continuation
Entries (CE). An attacker with physical access to the system could use this
flaw to trigger an infinite loop in the kernel, resulting in a denial of
service. (CVE-2014-9420, Low)
* An information leak flaw was found in the way the Linux kernel's ISO9660
file system implementation accessed data on an ISO9660 image with RockRidge
Extension Reference (ER) records. An attacker with physical access to the
system could use this flaw to disclose up to 255 bytes of kernel memory.
(CVE-2014-9584, Low)
* A flaw was found in the way the nft_flush_table() function of the Linux
kernel's netfilter tables implementation flushed rules that were
referencing deleted chains. A local user who has the CAP_NET_ADMIN
capability could use this flaw to crash the system. (CVE-2015-1573, Low)
* An integer overflow flaw was found in the way the Linux kernel randomized
the stack for processes on certain 64-bit architecture systems, such as
x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593,
Low)
Red Hat would like to thank Carl Henrik Lunde for reporting CVE-2014-9420
and CVE-2014-9584. The security impact of the CVE-2015-1805 issue was
discovered by Red Hat.
This update also fixes several bugs. Documentation for these changes is
available from the following Knowledgebase article:
https://access.redhat.com/articles/1469163
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-23"/>
<updated date="2015-06-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9420">CVE-2014-9420</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9529">CVE-2014-9529</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9584">CVE-2014-9584</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1573">CVE-2015-1573</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1593">CVE-2015-1593</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1805">CVE-2015-1805</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2830">CVE-2015-2830</cve>
<bugzilla href="https://bugzilla.redhat.com/1175235" id="1175235">CVE-2014-9420 Kernel: fs: isofs: infinite loop in CE record entries</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179813" id="1179813">CVE-2014-9529 kernel: use-after-free during key garbage collection</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180119" id="1180119">CVE-2014-9584 kernel: isofs: unchecked printing of ER records</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1190966" id="1190966">CVE-2015-1573 kernel: panic while flushing nftables rules that reference deleted chains.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1192519" id="1192519">CVE-2015-1593 kernel: Linux stack ASLR implementation Integer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202855" id="1202855">CVE-2015-1805 kernel: pipe: iovec overrun leading to memory corruption</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1208598" id="1208598">CVE-2015-2830 kernel: int80 fork from 64-bit tasks mishandling</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137021"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137007"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137033"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137013"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137023"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137017"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137005"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137015"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137025"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137011"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137027"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137029"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137031"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137019"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.7.2.el7" test_ref="oval:com.redhat.rhsa:tst:20151137009"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151139" version="601">
<metadata>
<title>RHSA-2015:1139: kernel-rt security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1139-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1139.html" source="RHSA"/>
<reference ref_id="CVE-2014-9420" ref_url="https://access.redhat.com/security/cve/CVE-2014-9420" source="CVE"/>
<reference ref_id="CVE-2014-9529" ref_url="https://access.redhat.com/security/cve/CVE-2014-9529" source="CVE"/>
<reference ref_id="CVE-2014-9584" ref_url="https://access.redhat.com/security/cve/CVE-2014-9584" source="CVE"/>
<reference ref_id="CVE-2015-1573" ref_url="https://access.redhat.com/security/cve/CVE-2015-1573" source="CVE"/>
<reference ref_id="CVE-2015-1593" ref_url="https://access.redhat.com/security/cve/CVE-2015-1593" source="CVE"/>
<reference ref_id="CVE-2015-1805" ref_url="https://access.redhat.com/security/cve/CVE-2015-1805" source="CVE"/>
<reference ref_id="CVE-2015-2830" ref_url="https://access.redhat.com/security/cve/CVE-2015-2830" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's implementation of vectored pipe read
and write functionality did not take into account the I/O vectors that were
already processed when retrying after a failed atomic access operation,
potentially resulting in memory corruption due to an I/O vector array
overrun. A local, unprivileged user could use this flaw to crash the system
or, potentially, escalate their privileges on the system. (CVE-2015-1805,
Important)
* A race condition flaw was found in the way the Linux kernel keys
management subsystem performed key garbage collection. A local attacker
could attempt accessing a key while it was being garbage collected, which
would cause the system to crash. (CVE-2014-9529, Moderate)
* A flaw was found in the way the Linux kernel's 32-bit emulation
implementation handled forking or closing of a task with an 'int80' entry.
A local user could potentially use this flaw to escalate their privileges
on the system. (CVE-2015-2830, Low)
* It was found that the Linux kernel's ISO file system implementation did
not correctly limit the traversal of Rock Ridge extension Continuation
Entries (CE). An attacker with physical access to the system could use this
flaw to trigger an infinite loop in the kernel, resulting in a denial of
service. (CVE-2014-9420, Low)
* An information leak flaw was found in the way the Linux kernel's ISO9660
file system implementation accessed data on an ISO9660 image with RockRidge
Extension Reference (ER) records. An attacker with physical access to the
system could use this flaw to disclose up to 255 bytes of kernel memory.
(CVE-2014-9584, Low)
* A flaw was found in the way the nft_flush_table() function of the Linux
kernel's netfilter tables implementation flushed rules that were
referencing deleted chains. A local user who has the CAP_NET_ADMIN
capability could use this flaw to crash the system. (CVE-2015-1573, Low)
* An integer overflow flaw was found in the way the Linux kernel randomized
the stack for processes on certain 64-bit architecture systems, such as
x86-64, causing the stack entropy to be reduced by four. (CVE-2015-1593,
Low)
Red Hat would like to thank Carl Henrik Lunde for reporting CVE-2014-9420
and CVE-2014-9584. The security impact of CVE-2015-1805 was discovered by
Red Hat.
The kernel-rt packages have been upgraded to version 3.10.0-229.7.2, which
provides a number of bug fixes and enhancements over the previous version,
including:
* storvsc: get rid of overly verbose warning messages
* storvsc: force discovery of LUNs that may have been removed
* storvsc: in responce to a scan event, scan the hos
* storvsc: NULL pointer dereference fix
* futex: Mention key referencing differences between shared and private
futexes
* futex: Ensure get_futex_key_refs() always implies a barrier
* kernel module: set nx before marking module MODULE_STATE_COMING
* kernel module: Clean up ro/nx after early module load failures
* btrfs: make xattr replace operations atomic
* megaraid_sas: revert: Add release date and update driver version
* radeon: fix kernel segfault in hwmonitor
(BZ#1223955)
Bug fix:
* There is an XFS optimization that depended on a spinlock to disable
preemption using the preempt_disable() function. When CONFIG_PREEMPT_RT is
enabled on realtime kernels, spinlocks do not disable preemption while
held, so the XFS critical section was not protected from preemption.
Systems on the Realtime kernel-rt could lock up in this XFS optimization
when a task that locked all the counters was then preempted by a realtime
task, causing all callers of that lock to block indefinitely. This update
disables the optimization when building a kernel with
CONFIG_PREEMPT_RT_FULL enabled. (BZ#1223955)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-20"/>
<updated date="2015-06-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9420">CVE-2014-9420</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9529">CVE-2014-9529</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9584">CVE-2014-9584</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1573">CVE-2015-1573</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1593">CVE-2015-1593</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1805">CVE-2015-1805</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2830">CVE-2015-2830</cve>
<bugzilla href="https://bugzilla.redhat.com/1175235" id="1175235">CVE-2014-9420 Kernel: fs: isofs: infinite loop in CE record entries</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1179813" id="1179813">CVE-2014-9529 kernel: use-after-free during key garbage collection</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180119" id="1180119">CVE-2014-9584 kernel: isofs: unchecked printing of ER records</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1190966" id="1190966">CVE-2015-1573 kernel: panic while flushing nftables rules that reference deleted chains.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1192519" id="1192519">CVE-2015-1593 kernel: Linux stack ASLR implementation Integer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202855" id="1202855">CVE-2015-1805 kernel: pipe: iovec overrun leading to memory corruption</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1208598" id="1208598">CVE-2015-2830 kernel: int80 fork from 64-bit tasks mishandling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212083" id="1212083">kernel-rt: rebase to the RHEL7.1.z batch3 source tree</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139017"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139019"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139013"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139011"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139021"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139015"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139009"/>
<criterion comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151139007"/>
<criterion comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151153" version="601">
<metadata>
<title>RHSA-2015:1153: mailman security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1153-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1153.html" source="RHSA"/>
<reference ref_id="CVE-2015-2775" ref_url="https://access.redhat.com/security/cve/CVE-2015-2775" source="CVE"/>
<description>Mailman is a program used to help manage email discussion lists.
It was found that mailman did not sanitize the list name before passing it
to certain MTAs. A local attacker could use this flaw to execute arbitrary
code as the user running mailman. (CVE-2015-2775)
This update also fixes the following bugs:
* Previously, it was impossible to configure Mailman in a way that
Domain-based Message Authentication, Reporting & Conformance (DMARC) would
recognize Sender alignment for Domain Key Identified Mail (DKIM)
signatures. Consequently, Mailman list subscribers that belonged to a mail
server with a "reject" policy for DMARC, such as yahoo.com or AOL.com, were
unable to receive Mailman forwarded messages from senders residing in any
domain that provided DKIM signatures. With this update, domains with a
"reject" DMARC policy are recognized correctly, and Mailman list
administrators are able to configure the way these messages are handled. As
a result, after a proper configuration, subscribers now correctly receive
Mailman forwarded messages in this scenario. (BZ#1229288)
* Previously, the /etc/mailman file had incorrectly set permissions, which
in some cases caused removing Mailman lists to fail with a "'NoneType'
object has no attribute 'close'" message. With this update, the permissions
value for /etc/mailman is correctly set to 2775 instead of 0755, and
removing Mailman lists now works as expected. (BZ#1229307)
* Prior to this update, the mailman utility incorrectly installed the
tmpfiles configuration in the /etc/tmpfiles.d/ directory. As a consequence,
changes made to mailman tmpfiles configuration were overwritten if the
mailman packages were reinstalled or updated. The mailman utility now
installs the tmpfiles configuration in the /usr/lib/tmpfiles.d/ directory,
and changes made to them by the user are preserved on reinstall or update.
(BZ#1229306)
All mailman users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-23"/>
<updated date="2015-06-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2775">CVE-2015-2775</cve>
<bugzilla href="https://bugzilla.redhat.com/1208059" id="1208059">CVE-2015-2775 mailman: directory traversal in MTA transports that deliver programmatically</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1229288" id="1229288">Yahoo.com and AOL DMARC reject policies cripples Mailman-2.1.12 - update to newer release</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1229307" id="1229307">/etc/mailman has wrong permissions 0755 instead of 2775</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="mailman is earlier than 3:2.1.15-21.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151153005"/>
<criterion comment="mailman is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151153006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151154" version="602">
<metadata>
<title>RHSA-2015:1154: libreswan security, bug fix and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1154-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1154.html" source="RHSA"/>
<reference ref_id="CVE-2015-3204" ref_url="https://access.redhat.com/security/cve/CVE-2015-3204" source="CVE"/>
<description>Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the
Internet Protocol Security and uses strong cryptography to provide both
authentication and encryption services. These services allow you to build
secure tunnels through untrusted networks such as virtual private network
(VPN).
A flaw was discovered in the way Libreswan's IKE daemon processed certain
IKEv1 payloads. A remote attacker could send specially crafted IKEv1
payloads that, when processed, would lead to a denial of service (daemon
crash). (CVE-2015-3204)
Red Hat would like to thank Javantea for reporting this issue.
This update fixes the following bugs:
* Previously, the programs/pluto/state.h and
programs/pluto/kernel_netlink.c files had a maximum SELinux context size
of 257 and 1024 respectively. These restrictions set by libreswan limited
the size of the context that can be exchanged by pluto (the IPSec daemon)
when using a Labeled Internet Protocol Security (IPsec). The SElinux
labels for Labeled IPsec have been extended to 4096 bytes and the
mentioned restrictions no longer exist. (BZ#1198650)
* On some architectures, the kernel AES_GCM IPsec algorithm did not work
properly with acceleration drivers. On those kernels, some acceleration
modules are added to the modprobe blacklist. However, Libreswan was
ignoring this blacklist, leading to AES_GCM failures. This update adds
support for the module blacklist to the libreswan packages and thus
prevents the AES_GCM failures from occurring. (BZ#1208022)
* An IPv6 issue has been resolved that prevented ipv6-icmp Neighbour
Discovery from working properly once an IPsec tunnel is established (and
one endpoint reboots). When upgrading, ensure that /etc/ipsec.conf is
loading all /etc/ipsec.d/*conf files using the /etc/ipsec.conf "include"
statement, or explicitly include this new configuration file in
/etc/ipsec.conf. (BZ#1208023)
* A FIPS self-test prevented libreswan from properly starting in FIPS mode.
This bug has been fixed and libreswan now works in FIPS mode as expected.
(BZ#1211146)
In addition, this update adds the following enhancements:
* A new option "seedbits=" has been added to pre-seed the Network Security
Services (NSS) pseudo random number generator (PRNG) function with entropy
from the /dev/random file on startup. This option is disabled by default.
It can be enabled by setting the "seedbits=" option in the "config setup"
section in the /etc/ipsec.conf file. (BZ#1198649)
* The build process now runs a Cryptographic Algorithm Validation Program
(CAVP) certification test on the Internet Key Exchange version 1 and 2
(IKEv1 and IKEv2) PRF/PRF+ functions. (BZ#1213652)
All libreswan users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-23"/>
<updated date="2015-06-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3204">CVE-2015-3204</cve>
<bugzilla href="https://bugzilla.redhat.com/1223361" id="1223361">CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="libreswan is earlier than 0:3.12-10.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151154005"/>
<criterion comment="libreswan is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151154006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151185" version="602">
<metadata>
<title>RHSA-2015:1185: nss security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1185-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1185.html" source="RHSA"/>
<reference ref_id="CVE-2015-2721" ref_url="https://access.redhat.com/security/cve/CVE-2015-2721" source="CVE"/>
<reference ref_id="CVE-2015-4000" ref_url="https://access.redhat.com/security/cve/CVE-2015-4000" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications.
A flaw was found in the way the TLS protocol composes the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in NSS to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Future updates may raise this limit to
1024 bits.
The nss and nss-util packages have been upgraded to upstream versions
3.19.1. The upgraded versions provide a number of bug fixes and
enhancements over the previous versions.
Users of nss and nss-util are advised to upgrade to these updated packages,
which fix these security flaws, bugs, and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-25"/>
<updated date="2015-06-25"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2721">CVE-2015-2721</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4000">CVE-2015-4000</cve>
<bugzilla href="https://bugzilla.redhat.com/1223211" id="1223211">CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.19.1-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185007"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.19.1-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185005"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.19.1-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185017"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.19.1-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185015"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.19.1-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185009"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.19.1-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185011"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.19.1-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151185013"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.19.1-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185023"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.19.1-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185024"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.19.1-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185027"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.19.1-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185026"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.19.1-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185029"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.19.1-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185028"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.19.1-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151185025"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151193" version="601">
<metadata>
<title>RHSA-2015:1193: xerces-c security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1193-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1193.html" source="RHSA"/>
<reference ref_id="CVE-2015-0252" ref_url="https://access.redhat.com/security/cve/CVE-2015-0252" source="CVE"/>
<description>Xerces-C is a validating XML parser written in a portable subset of C++.
A flaw was found in the way the Xerces-C XML parser processed certain XML
documents. A remote attacker could provide specially crafted XML input
that, when parsed by an application using Xerces-C, would cause that
application to crash. (CVE-2015-0252)
All xerces-c users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-29"/>
<updated date="2015-06-29"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0252">CVE-2015-0252</cve>
<bugzilla href="https://bugzilla.redhat.com/1199103" id="1199103">CVE-2015-0252 xerces-c: crashes on malformed input</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xerces-c is earlier than 0:3.1.1-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151193005"/>
<criterion comment="xerces-c is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151193006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-c-devel is earlier than 0:3.1.1-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151193007"/>
<criterion comment="xerces-c-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151193008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xerces-c-doc is earlier than 0:3.1.1-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151193009"/>
<criterion comment="xerces-c-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151193010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151194" version="601">
<metadata>
<title>RHSA-2015:1194: postgresql security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1194-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1194.html" source="RHSA"/>
<reference ref_id="CVE-2015-3165" ref_url="https://access.redhat.com/security/cve/CVE-2015-3165" source="CVE"/>
<reference ref_id="CVE-2015-3166" ref_url="https://access.redhat.com/security/cve/CVE-2015-3166" source="CVE"/>
<reference ref_id="CVE-2015-3167" ref_url="https://access.redhat.com/security/cve/CVE-2015-3167" source="CVE"/>
<description>PostgreSQL is an advanced object-relational database management system
(DBMS).
A double-free flaw was found in the connection handling. An unauthenticated
attacker could exploit this flaw to crash the PostgreSQL back end by
disconnecting at approximately the same time as the authentication time out
is triggered. (CVE-2015-3165)
It was discovered that PostgreSQL did not properly check the return values
of certain standard library functions. If the system is in a state that
would cause the standard library functions to fail, for example memory
exhaustion, an authenticated user could exploit this flaw to disclose
partial memory contents or cause the GSSAPI authentication to use an
incorrect keytab file. (CVE-2015-3166)
It was discovered that the pgcrypto module could return different error
messages when decrypting certain data with an incorrect key. This can help
an authenticated user to launch a possible cryptographic attack, although
no suitable attack is currently known. (CVE-2015-3167)
Red Hat would like to thank the PostgreSQL project for reporting these
issues. Upstream acknowledges Benkocs Norbert Attila as the original
reporter of CVE-2015-3165 and Noah Misch as the original reporter of
CVE-2015-3166 and CVE-2015-3167.
All PostgreSQL users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. If the
postgresql service is running, it will be automatically restarted after
installing this update.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-29"/>
<updated date="2015-06-29"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3165">CVE-2015-3165</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3166">CVE-2015-3166</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3167">CVE-2015-3167</cve>
<bugzilla href="https://bugzilla.redhat.com/1221537" id="1221537">CVE-2015-3165 postgresql: double-free after authentication timeout</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1221539" id="1221539">CVE-2015-3166 postgresql: unanticipated errors from the standard library</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1221541" id="1221541">CVE-2015-3167 postgresql: pgcrypto has multiple error messages for decryption with an incorrect key.</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="postgresql is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194007"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750006"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-contrib is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194009"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750018"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-devel is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194021"/>
<criterion comment="postgresql-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750014"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-docs is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194019"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750016"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-libs is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194017"/>
<criterion comment="postgresql-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750020"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plperl is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194011"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750012"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plpython is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194005"/>
<criterion comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750008"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-pltcl is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194023"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750022"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-server is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194015"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750010"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-test is earlier than 0:8.4.20-3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151194013"/>
<criterion comment="postgresql-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750024"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="postgresql is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194029"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750006"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-contrib is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194040"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750018"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-devel is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194031"/>
<criterion comment="postgresql-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750014"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-docs is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194032"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750016"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-libs is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194037"/>
<criterion comment="postgresql-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750020"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plperl is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194035"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750012"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plpython is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194038"/>
<criterion comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750008"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-pltcl is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194039"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750022"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-server is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194036"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750010"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-test is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194030"/>
<criterion comment="postgresql-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750024"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-upgrade is earlier than 0:9.2.13-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151194033"/>
<criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151207" version="601">
<metadata>
<title>RHSA-2015:1207: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:1207-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1207.html" source="RHSA"/>
<reference ref_id="CVE-2015-2722" ref_url="https://access.redhat.com/security/cve/CVE-2015-2722" source="CVE"/>
<reference ref_id="CVE-2015-2724" ref_url="https://access.redhat.com/security/cve/CVE-2015-2724" source="CVE"/>
<reference ref_id="CVE-2015-2725" ref_url="https://access.redhat.com/security/cve/CVE-2015-2725" source="CVE"/>
<reference ref_id="CVE-2015-2727" ref_url="https://access.redhat.com/security/cve/CVE-2015-2727" source="CVE"/>
<reference ref_id="CVE-2015-2728" ref_url="https://access.redhat.com/security/cve/CVE-2015-2728" source="CVE"/>
<reference ref_id="CVE-2015-2729" ref_url="https://access.redhat.com/security/cve/CVE-2015-2729" source="CVE"/>
<reference ref_id="CVE-2015-2731" ref_url="https://access.redhat.com/security/cve/CVE-2015-2731" source="CVE"/>
<reference ref_id="CVE-2015-2733" ref_url="https://access.redhat.com/security/cve/CVE-2015-2733" source="CVE"/>
<reference ref_id="CVE-2015-2734" ref_url="https://access.redhat.com/security/cve/CVE-2015-2734" source="CVE"/>
<reference ref_id="CVE-2015-2735" ref_url="https://access.redhat.com/security/cve/CVE-2015-2735" source="CVE"/>
<reference ref_id="CVE-2015-2736" ref_url="https://access.redhat.com/security/cve/CVE-2015-2736" source="CVE"/>
<reference ref_id="CVE-2015-2737" ref_url="https://access.redhat.com/security/cve/CVE-2015-2737" source="CVE"/>
<reference ref_id="CVE-2015-2738" ref_url="https://access.redhat.com/security/cve/CVE-2015-2738" source="CVE"/>
<reference ref_id="CVE-2015-2739" ref_url="https://access.redhat.com/security/cve/CVE-2015-2739" source="CVE"/>
<reference ref_id="CVE-2015-2740" ref_url="https://access.redhat.com/security/cve/CVE-2015-2740" source="CVE"/>
<reference ref_id="CVE-2015-2741" ref_url="https://access.redhat.com/security/cve/CVE-2015-2741" source="CVE"/>
<reference ref_id="CVE-2015-2743" ref_url="https://access.redhat.com/security/cve/CVE-2015-2743" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2722, CVE-2015-2727,
CVE-2015-2728, CVE-2015-2729, CVE-2015-2731, CVE-2015-2733, CVE-2015-2734,
CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
CVE-2015-2740)
It was found that Firefox skipped key-pinning checks when handling an error
that could be overridden by the user (for example an expired certificate
error). This flaw allowed a user to override a pinned certificate, which is
an action the user should not be able to perform. (CVE-2015-2741)
A flaw was discovered in Mozilla's PDF.js PDF file viewer. When combined
with another vulnerability, it could allow execution of arbitrary code with
the privileges of the user running Firefox. (CVE-2015-2743)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bob Clary, Christian Holler, Bobby Holley, Andrew
McCreight, Terrence Cole, Steve Fink, Mats Palmgren, Wes Kocher, Andreas
Pehrson, Jann Horn, Paul Bandha, Holger Fuhrmannek, Herre, Looben Yan,
Ronald Crane, and Jonas Jenwald as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.1 ESR, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-02"/>
<updated date="2015-07-02"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2722">CVE-2015-2722</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2724">CVE-2015-2724</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2725">CVE-2015-2725</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2727">CVE-2015-2727</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2728">CVE-2015-2728</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2729">CVE-2015-2729</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2731">CVE-2015-2731</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2733">CVE-2015-2733</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2734">CVE-2015-2734</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2735">CVE-2015-2735</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2736">CVE-2015-2736</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2737">CVE-2015-2737</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2738">CVE-2015-2738</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2739">CVE-2015-2739</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2740">CVE-2015-2740</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2741">CVE-2015-2741</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2743">CVE-2015-2743</cve>
<bugzilla href="https://bugzilla.redhat.com/1236947" id="1236947">CVE-2015-2724 CVE-2015-2725 Mozilla: Miscellaneous memory safety hazards (rv:31.8 / rv:38.1) (MFSA 2015-59)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236950" id="1236950">CVE-2015-2727 Mozilla: Local files or privileged URLs in pages can be opened into new tabs (MFSA 2015-60)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236951" id="1236951">CVE-2015-2728 Mozilla: Type confusion in Indexed Database Manager (MFSA 2015-61)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236952" id="1236952">CVE-2015-2729 Mozilla: Out-of-bound read while computing an oscillator rendering range in Web Audio (MFSA 2015-62)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236953" id="1236953">CVE-2015-2731 Mozilla: Use-after-free in Content Policy due to microtask execution error (MFSA 2015-63)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236955" id="1236955">CVE-2015-2722 CVE-2015-2733 Mozilla: Use-after-free in workers while using XMLHttpRequest (MFSA 2015-65)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236956" id="1236956">CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-66)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236963" id="1236963">CVE-2015-2741 Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236964" id="1236964">CVE-2015-2743 Mozilla: Privilege escalation in PDF.js (MFSA 2015-69)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.1.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151207002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.1.0-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151207008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.1.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151207014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151228" version="601">
<metadata>
<title>RHSA-2015:1228: java-1.8.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1228-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1228.html" source="RHSA"/>
<reference ref_id="CVE-2015-2590" ref_url="https://access.redhat.com/security/cve/CVE-2015-2590" source="CVE"/>
<reference ref_id="CVE-2015-2601" ref_url="https://access.redhat.com/security/cve/CVE-2015-2601" source="CVE"/>
<reference ref_id="CVE-2015-2621" ref_url="https://access.redhat.com/security/cve/CVE-2015-2621" source="CVE"/>
<reference ref_id="CVE-2015-2625" ref_url="https://access.redhat.com/security/cve/CVE-2015-2625" source="CVE"/>
<reference ref_id="CVE-2015-2628" ref_url="https://access.redhat.com/security/cve/CVE-2015-2628" source="CVE"/>
<reference ref_id="CVE-2015-2632" ref_url="https://access.redhat.com/security/cve/CVE-2015-2632" source="CVE"/>
<reference ref_id="CVE-2015-2659" ref_url="https://access.redhat.com/security/cve/CVE-2015-2659" source="CVE"/>
<reference ref_id="CVE-2015-2808" ref_url="https://access.redhat.com/security/cve/CVE-2015-2808" source="CVE"/>
<reference ref_id="CVE-2015-3149" ref_url="https://access.redhat.com/security/cve/CVE-2015-3149" source="CVE"/>
<reference ref_id="CVE-2015-4000" ref_url="https://access.redhat.com/security/cve/CVE-2015-4000" source="CVE"/>
<reference ref_id="CVE-2015-4731" ref_url="https://access.redhat.com/security/cve/CVE-2015-4731" source="CVE"/>
<reference ref_id="CVE-2015-4732" ref_url="https://access.redhat.com/security/cve/CVE-2015-4732" source="CVE"/>
<reference ref_id="CVE-2015-4733" ref_url="https://access.redhat.com/security/cve/CVE-2015-4733" source="CVE"/>
<reference ref_id="CVE-2015-4748" ref_url="https://access.redhat.com/security/cve/CVE-2015-4748" source="CVE"/>
<reference ref_id="CVE-2015-4749" ref_url="https://access.redhat.com/security/cve/CVE-2015-4749" source="CVE"/>
<reference ref_id="CVE-2015-4760" ref_url="https://access.redhat.com/security/cve/CVE-2015-4760" source="CVE"/>
<description>The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)
A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)
It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)
It was discovered that the GCM (Galois Counter Mode) implementation in the
Security component of OpenJDK failed to properly perform a null check.
This could cause the Java Virtual Machine to crash when an application
performed encryption using a block cipher in the GCM mode. (CVE-2015-2659)
A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)
Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.
A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.
It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)
Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)
A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)
Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error log
files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. Note: This issue was
originally fixed as CVE-2015-0383, but the fix was regressed in the
RHSA-2015:0809 advisory. (CVE-2015-3149)
All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-15"/>
<updated date="2015-07-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2590">CVE-2015-2590</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2601">CVE-2015-2601</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2621">CVE-2015-2621</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2625">CVE-2015-2625</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2628">CVE-2015-2628</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2632">CVE-2015-2632</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2659">CVE-2015-2659</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2808">CVE-2015-2808</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3149">CVE-2015-3149</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4000">CVE-2015-4000</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4731">CVE-2015-4731</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4732">CVE-2015-4732</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4733">CVE-2015-4733</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4748">CVE-2015-4748</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4749">CVE-2015-4749</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4760">CVE-2015-4760</cve>
<bugzilla href="https://bugzilla.redhat.com/1207101" id="1207101">CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213365" id="1213365">CVE-2015-3149 OpenJDK8: insecure hsperfdata temporary file handling, CVE-2015-0383 regression (Hotspot)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223211" id="1223211">CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1241965" id="1241965">CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242019" id="1242019">CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242144" id="1242144">CVE-2015-2659 OpenJDK: GCM cipher issue causing JVM crash (Security, 8067648)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242232" id="1242232">CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242234" id="1242234">CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242240" id="1242240">CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242275" id="1242275">CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242281" id="1242281">CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242372" id="1242372">CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242379" id="1242379">CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242394" id="1242394">CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242447" id="1242447">CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243139" id="1243139">CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.51-0.b16.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151228009"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.51-0.b16.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151228007"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.51-0.b16.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151228005"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.51-0.b16.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151228011"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.51-0.b16.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151228015"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.51-0.b16.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151228013"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228022"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228024"/>
<criterion comment="java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809023"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228027"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228023"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228021"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228028"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.51-1.b16.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151228026"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151229" version="601">
<metadata>
<title>RHSA-2015:1229: java-1.7.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1229-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1229.html" source="RHSA"/>
<reference ref_id="CVE-2015-2590" ref_url="https://access.redhat.com/security/cve/CVE-2015-2590" source="CVE"/>
<reference ref_id="CVE-2015-2601" ref_url="https://access.redhat.com/security/cve/CVE-2015-2601" source="CVE"/>
<reference ref_id="CVE-2015-2621" ref_url="https://access.redhat.com/security/cve/CVE-2015-2621" source="CVE"/>
<reference ref_id="CVE-2015-2625" ref_url="https://access.redhat.com/security/cve/CVE-2015-2625" source="CVE"/>
<reference ref_id="CVE-2015-2628" ref_url="https://access.redhat.com/security/cve/CVE-2015-2628" source="CVE"/>
<reference ref_id="CVE-2015-2632" ref_url="https://access.redhat.com/security/cve/CVE-2015-2632" source="CVE"/>
<reference ref_id="CVE-2015-2808" ref_url="https://access.redhat.com/security/cve/CVE-2015-2808" source="CVE"/>
<reference ref_id="CVE-2015-4000" ref_url="https://access.redhat.com/security/cve/CVE-2015-4000" source="CVE"/>
<reference ref_id="CVE-2015-4731" ref_url="https://access.redhat.com/security/cve/CVE-2015-4731" source="CVE"/>
<reference ref_id="CVE-2015-4732" ref_url="https://access.redhat.com/security/cve/CVE-2015-4732" source="CVE"/>
<reference ref_id="CVE-2015-4733" ref_url="https://access.redhat.com/security/cve/CVE-2015-4733" source="CVE"/>
<reference ref_id="CVE-2015-4748" ref_url="https://access.redhat.com/security/cve/CVE-2015-4748" source="CVE"/>
<reference ref_id="CVE-2015-4749" ref_url="https://access.redhat.com/security/cve/CVE-2015-4749" source="CVE"/>
<reference ref_id="CVE-2015-4760" ref_url="https://access.redhat.com/security/cve/CVE-2015-4760" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)
A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)
It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)
A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)
Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.
A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.
It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)
Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)
A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-15"/>
<updated date="2015-07-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2590">CVE-2015-2590</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2601">CVE-2015-2601</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2621">CVE-2015-2621</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2625">CVE-2015-2625</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2628">CVE-2015-2628</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2632">CVE-2015-2632</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2808">CVE-2015-2808</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4000">CVE-2015-4000</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4731">CVE-2015-4731</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4732">CVE-2015-4732</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4733">CVE-2015-4733</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4748">CVE-2015-4748</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4749">CVE-2015-4749</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4760">CVE-2015-4760</cve>
<bugzilla href="https://bugzilla.redhat.com/1207101" id="1207101">CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223211" id="1223211">CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1241965" id="1241965">CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242019" id="1242019">CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242232" id="1242232">CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242234" id="1242234">CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242240" id="1242240">CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242275" id="1242275">CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242281" id="1242281">CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242372" id="1242372">CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242379" id="1242379">CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242394" id="1242394">CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242447" id="1242447">CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243139" id="1243139">CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.85-2.6.1.3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151229011"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.85-2.6.1.3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151229007"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.85-2.6.1.3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151229009"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.85-2.6.1.3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151229013"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.85-2.6.1.3.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151229005"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229025"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229022"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229026"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229021"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229019"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229027"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.85-2.6.1.2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151229024"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151443" version="601">
<metadata>
<title>RHSA-2015:1443: bind security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1443-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1443.html" source="RHSA"/>
<reference ref_id="CVE-2015-4620" ref_url="https://access.redhat.com/security/cve/CVE-2015-4620" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A flaw was found in the way BIND performed DNSSEC validation. An attacker
able to make BIND (functioning as a DNS resolver with DNSSEC validation
enabled) resolve a name in an attacker-controlled domain could cause named
to exit unexpectedly with an assertion failure. (CVE-2015-4620)
Red Hat would like to thank ISC for reporting this issue.
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-20"/>
<updated date="2015-07-20"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4620">CVE-2015-4620</cve>
<bugzilla href="https://bugzilla.redhat.com/1237258" id="1237258">CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443013"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443019"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443017"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443005"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443015"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443023"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443011"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443007"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443021"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-18.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151443009"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151455" version="601">
<metadata>
<title>RHSA-2015:1455: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1455-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1455.html" source="RHSA"/>
<reference ref_id="CVE-2015-2724" ref_url="https://access.redhat.com/security/cve/CVE-2015-2724" source="CVE"/>
<reference ref_id="CVE-2015-2725" ref_url="https://access.redhat.com/security/cve/CVE-2015-2725" source="CVE"/>
<reference ref_id="CVE-2015-2731" ref_url="https://access.redhat.com/security/cve/CVE-2015-2731" source="CVE"/>
<reference ref_id="CVE-2015-2734" ref_url="https://access.redhat.com/security/cve/CVE-2015-2734" source="CVE"/>
<reference ref_id="CVE-2015-2735" ref_url="https://access.redhat.com/security/cve/CVE-2015-2735" source="CVE"/>
<reference ref_id="CVE-2015-2736" ref_url="https://access.redhat.com/security/cve/CVE-2015-2736" source="CVE"/>
<reference ref_id="CVE-2015-2737" ref_url="https://access.redhat.com/security/cve/CVE-2015-2737" source="CVE"/>
<reference ref_id="CVE-2015-2738" ref_url="https://access.redhat.com/security/cve/CVE-2015-2738" source="CVE"/>
<reference ref_id="CVE-2015-2739" ref_url="https://access.redhat.com/security/cve/CVE-2015-2739" source="CVE"/>
<reference ref_id="CVE-2015-2740" ref_url="https://access.redhat.com/security/cve/CVE-2015-2740" source="CVE"/>
<reference ref_id="CVE-2015-2741" ref_url="https://access.redhat.com/security/cve/CVE-2015-2741" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-2724, CVE-2015-2725, CVE-2015-2731, CVE-2015-2734,
CVE-2015-2735, CVE-2015-2736, CVE-2015-2737, CVE-2015-2738, CVE-2015-2739,
CVE-2015-2740)
It was found that Thunderbird skipped key-pinning checks when handling an
error that could be overridden by the user (for example an expired
certificate error). This flaw allowed a user to override a pinned
certificate, which is an action the user should not be able to perform.
(CVE-2015-2741)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bob Clary, Christian Holler, Bobby Holley, Andrew
McCreight, Herre, Ronald Crane, and David Keeler as the original reporters
of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 31.8. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 31.8, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-20"/>
<updated date="2015-07-20"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2724">CVE-2015-2724</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2725">CVE-2015-2725</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2731">CVE-2015-2731</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2734">CVE-2015-2734</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2735">CVE-2015-2735</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2736">CVE-2015-2736</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2737">CVE-2015-2737</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2738">CVE-2015-2738</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2739">CVE-2015-2739</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2740">CVE-2015-2740</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2741">CVE-2015-2741</cve>
<bugzilla href="https://bugzilla.redhat.com/1236947" id="1236947">CVE-2015-2724 CVE-2015-2725 Mozilla: Miscellaneous memory safety hazards (rv:31.8 / rv:38.1) (MFSA 2015-59)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236953" id="1236953">CVE-2015-2731 Mozilla: Use-after-free in Content Policy due to microtask execution error (MFSA 2015-63)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236956" id="1236956">CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-66)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1236963" id="1236963">CVE-2015-2741 Mozilla: Key pinning is ignored when overridable errors are encountered (MFSA 2015-67)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:31.8.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151455002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.8.0-1.el6_6" test_ref="oval:com.redhat.rhsa:tst:20151455008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:31.8.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151455014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151483" version="601">
<metadata>
<title>RHSA-2015:1483: libuser security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1483-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1483.html" source="RHSA"/>
<reference ref_id="CVE-2015-3245" ref_url="https://access.redhat.com/security/cve/CVE-2015-3245" source="CVE"/>
<reference ref_id="CVE-2015-3246" ref_url="https://access.redhat.com/security/cve/CVE-2015-3246" source="CVE"/>
<description>The libuser library implements a standardized interface for manipulating
and administering user and group accounts. Sample applications that are
modeled after applications from the shadow password suite (shadow-utils)
are included in these packages.
Two flaws were found in the way the libuser library handled the /etc/passwd
file. A local attacker could use an application compiled against libuser
(for example, userhelper) to manipulate the /etc/passwd file, which could
result in a denial of service or possibly allow the attacker to escalate
their privileges to root. (CVE-2015-3245, CVE-2015-3246)
Red Hat would like to thank Qualys for reporting these issues.
All libuser users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-23"/>
<updated date="2015-07-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3245">CVE-2015-3245</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3246">CVE-2015-3246</cve>
<bugzilla href="https://bugzilla.redhat.com/1233043" id="1233043">CVE-2015-3245 libuser does not filter newline characters in the GECOS field</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1233052" id="1233052">CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libuser is earlier than 0:0.60-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151483009"/>
<criterion comment="libuser is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151483010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libuser-devel is earlier than 0:0.60-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151483005"/>
<criterion comment="libuser-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151483006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libuser-python is earlier than 0:0.60-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151483007"/>
<criterion comment="libuser-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151483008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151507" version="601">
<metadata>
<title>RHSA-2015:1507: qemu-kvm security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1507-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1507.html" source="RHSA"/>
<reference ref_id="CVE-2015-3214" ref_url="https://access.redhat.com/security/cve/CVE-2015-3214" source="CVE"/>
<reference ref_id="CVE-2015-5154" ref_url="https://access.redhat.com/security/cve/CVE-2015-5154" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
A heap buffer overflow flaw was found in the way QEMU's IDE subsystem
handled I/O buffer access while processing certain ATAPI commands.
A privileged guest user in a guest with the CDROM drive enabled could
potentially use this flaw to execute arbitrary code on the host with the
privileges of the host's QEMU process corresponding to the guest.
(CVE-2015-5154)
An out-of-bounds memory access flaw, leading to memory corruption or
possibly an information leak, was found in QEMU's pit_ioport_read()
function. A privileged guest user in a QEMU guest, which had QEMU PIT
emulation enabled, could potentially, in rare cases, use this flaw to
execute arbitrary code on the host with the privileges of the hosting QEMU
process. (CVE-2015-3214)
Red Hat would like to thank Matt Tait of Google's Project Zero security
team for reporting the CVE-2015-3214 issue. The CVE-2015-5154 issue was
discovered by Kevin Wolf of Red Hat.
This update also fixes the following bug:
* Due to an incorrect implementation of portable memory barriers, the QEMU
emulator in some cases terminated unexpectedly when a virtual disk was
under heavy I/O load. This update fixes the implementation in order to
achieve correct synchronization between QEMU's threads. As a result, the
described crash no longer occurs. (BZ#1233643)
All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-27"/>
<updated date="2015-07-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3214">CVE-2015-3214</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5154">CVE-2015-5154</cve>
<bugzilla href="https://bugzilla.redhat.com/1229640" id="1229640">CVE-2015-3214 qemu/kvm: i8254: out-of-bounds memory access in pit_ioport_read function</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243563" id="1243563">CVE-2015-5154 qemu: ide: atapi: heap overflow during I/O buffer memory access</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507005"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507009"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507007"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507011"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507015"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507013"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151507017"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151510" version="601">
<metadata>
<title>RHSA-2015:1510: clutter security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1510-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1510.html" source="RHSA"/>
<reference ref_id="CVE-2015-3213" ref_url="https://access.redhat.com/security/cve/CVE-2015-3213" source="CVE"/>
<description>Clutter is a library for creating fast, visually rich, graphical user
interfaces. Clutter is used for rendering the GNOME desktop environment.
A flaw was found in the way clutter processed certain mouse and touch
gestures. An attacker could use this flaw to bypass the screen lock.
(CVE-2015-3213)
All clutter users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, all applications using clutter must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-27"/>
<updated date="2015-07-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3213">CVE-2015-3213</cve>
<bugzilla href="https://bugzilla.redhat.com/1227098" id="1227098">CVE-2015-3213 Gnome clutter: screenlock bypass by performing certain mouse gestures</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="clutter is earlier than 0:1.14.4-12.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151510009"/>
<criterion comment="clutter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535012"/>
</criteria>
<criteria operator="AND">
<criterion comment="clutter-devel is earlier than 0:1.14.4-12.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151510007"/>
<criterion comment="clutter-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535014"/>
</criteria>
<criteria operator="AND">
<criterion comment="clutter-doc is earlier than 0:1.14.4-12.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151510005"/>
<criterion comment="clutter-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150535016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151513" version="601">
<metadata>
<title>RHSA-2015:1513: bind security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1513-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1513.html" source="RHSA"/>
<reference ref_id="CVE-2015-5477" ref_url="https://access.redhat.com/security/cve/CVE-2015-5477" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A flaw was found in the way BIND handled requests for TKEY DNS resource
records. A remote attacker could use this flaw to make named (functioning
as an authoritative DNS server or a DNS resolver) exit unexpectedly with an
assertion failure via a specially crafted DNS request packet.
(CVE-2015-5477)
Red Hat would like to thank ISC for reporting this issue. Upstream
acknowledges Jonathan Foote as the original reporter.
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-28"/>
<updated date="2015-07-28"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5477">CVE-2015-5477</cve>
<bugzilla href="https://bugzilla.redhat.com/1247361" id="1247361">CVE-2015-5477 bind: TKEY query handling flaw leading to denial of service</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151513011"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151513009"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151513005"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151513015"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151513013"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151513007"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513032"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513028"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513022"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513029"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513030"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513033"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513026"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513021"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513023"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-18.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151513025"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151526" version="601">
<metadata>
<title>RHSA-2015:1526: java-1.6.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1526-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1526.html" source="RHSA"/>
<reference ref_id="CVE-2015-2590" ref_url="https://access.redhat.com/security/cve/CVE-2015-2590" source="CVE"/>
<reference ref_id="CVE-2015-2601" ref_url="https://access.redhat.com/security/cve/CVE-2015-2601" source="CVE"/>
<reference ref_id="CVE-2015-2621" ref_url="https://access.redhat.com/security/cve/CVE-2015-2621" source="CVE"/>
<reference ref_id="CVE-2015-2625" ref_url="https://access.redhat.com/security/cve/CVE-2015-2625" source="CVE"/>
<reference ref_id="CVE-2015-2628" ref_url="https://access.redhat.com/security/cve/CVE-2015-2628" source="CVE"/>
<reference ref_id="CVE-2015-2632" ref_url="https://access.redhat.com/security/cve/CVE-2015-2632" source="CVE"/>
<reference ref_id="CVE-2015-2808" ref_url="https://access.redhat.com/security/cve/CVE-2015-2808" source="CVE"/>
<reference ref_id="CVE-2015-4000" ref_url="https://access.redhat.com/security/cve/CVE-2015-4000" source="CVE"/>
<reference ref_id="CVE-2015-4731" ref_url="https://access.redhat.com/security/cve/CVE-2015-4731" source="CVE"/>
<reference ref_id="CVE-2015-4732" ref_url="https://access.redhat.com/security/cve/CVE-2015-4732" source="CVE"/>
<reference ref_id="CVE-2015-4733" ref_url="https://access.redhat.com/security/cve/CVE-2015-4733" source="CVE"/>
<reference ref_id="CVE-2015-4748" ref_url="https://access.redhat.com/security/cve/CVE-2015-4748" source="CVE"/>
<reference ref_id="CVE-2015-4749" ref_url="https://access.redhat.com/security/cve/CVE-2015-4749" source="CVE"/>
<reference ref_id="CVE-2015-4760" ref_url="https://access.redhat.com/security/cve/CVE-2015-4760" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)
A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)
It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)
A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)
Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.
A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them to decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.
It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)
Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)
A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-30"/>
<updated date="2015-07-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2590">CVE-2015-2590</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2601">CVE-2015-2601</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2621">CVE-2015-2621</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2625">CVE-2015-2625</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2628">CVE-2015-2628</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2632">CVE-2015-2632</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2808">CVE-2015-2808</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4000">CVE-2015-4000</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4731">CVE-2015-4731</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4732">CVE-2015-4732</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4733">CVE-2015-4733</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4748">CVE-2015-4748</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4749">CVE-2015-4749</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4760">CVE-2015-4760</cve>
<bugzilla href="https://bugzilla.redhat.com/1207101" id="1207101">CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223211" id="1223211">CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1241965" id="1241965">CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242019" id="1242019">CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242232" id="1242232">CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242234" id="1242234">CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242240" id="1242240">CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242275" id="1242275">CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242281" id="1242281">CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242372" id="1242372">CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242379" id="1242379">CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242394" id="1242394">CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242447" id="1242447">CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243139" id="1243139">CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.36-1.13.8.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151526006"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.36-1.13.8.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151526004"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.36-1.13.8.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151526010"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.36-1.13.8.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151526002"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.36-1.13.8.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151526008"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.36-1.13.8.1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151526024"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.36-1.13.8.1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151526020"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.36-1.13.8.1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151526016"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.36-1.13.8.1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151526018"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.36-1.13.8.1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151526022"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.36-1.13.8.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151526034"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.36-1.13.8.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151526032"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.36-1.13.8.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151526030"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.36-1.13.8.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151526033"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.36-1.13.8.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151526031"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151534" version="601">
<metadata>
<title>RHSA-2015:1534: kernel security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1534-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1534.html" source="RHSA"/>
<reference ref_id="CVE-2014-9715" ref_url="https://access.redhat.com/security/cve/CVE-2014-9715" source="CVE"/>
<reference ref_id="CVE-2015-2666" ref_url="https://access.redhat.com/security/cve/CVE-2015-2666" source="CVE"/>
<reference ref_id="CVE-2015-2922" ref_url="https://access.redhat.com/security/cve/CVE-2015-2922" source="CVE"/>
<reference ref_id="CVE-2015-3636" ref_url="https://access.redhat.com/security/cve/CVE-2015-3636" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* An integer overflow flaw was found in the way the Linux kernel's
netfilter connection tracking implementation loaded extensions. An attacker
on a local network could potentially send a sequence of specially crafted
packets that would initiate the loading of a large number of extensions,
causing the targeted system in that network to crash. (CVE-2014-9715,
Moderate)
* A stack-based buffer overflow flaw was found in the Linux kernel's early
load microcode functionality. On a system with UEFI Secure Boot enabled, a
local, privileged user could use this flaw to increase their privileges to
the kernel (ring0) level, bypassing intended restrictions in place.
(CVE-2015-2666, Moderate)
* It was found that the Linux kernel's ping socket implementation did not
properly handle socket unhashing during spurious disconnects, which could
lead to a use-after-free flaw. On x86-64 architecture systems, a local user
able to create ping sockets could use this flaw to crash the system.
On non-x86-64 architecture systems, a local user able to create ping
sockets could use this flaw to escalate their privileges on the system.
(CVE-2015-3636, Moderate)
* It was found that the Linux kernel's TCP/IP protocol suite implementation
for IPv6 allowed the Hop Limit value to be set to a smaller value than the
default one. An attacker on a local network could use this flaw to prevent
systems on that network from sending or receiving network packets.
(CVE-2015-2922, Low)
Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715
issue.
This update also fixes several bugs. Refer to the following Knowledgebase
article for further information:
https://access.redhat.com/articles/1474193
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-05"/>
<updated date="2015-08-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9715">CVE-2014-9715</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2666">CVE-2015-2666</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2922">CVE-2015-2922</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3636">CVE-2015-3636</cve>
<bugzilla href="https://bugzilla.redhat.com/1203712" id="1203712">CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1204722" id="1204722">CVE-2015-2666 kernel: execution in the early microcode loader</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1208684" id="1208684">CVE-2014-9715 kernel: netfilter connection tracking extensions denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218074" id="1218074">CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534019"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534007"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534033"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534021"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534009"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534017"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534005"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534013"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534025"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534015"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534027"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534029"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534031"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534023"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.11.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151534011"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151565" version="601">
<metadata>
<title>RHSA-2015:1565: kernel-rt security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1565-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1565.html" source="RHSA"/>
<reference ref_id="CVE-2014-9715" ref_url="https://access.redhat.com/security/cve/CVE-2014-9715" source="CVE"/>
<reference ref_id="CVE-2015-2666" ref_url="https://access.redhat.com/security/cve/CVE-2015-2666" source="CVE"/>
<reference ref_id="CVE-2015-2922" ref_url="https://access.redhat.com/security/cve/CVE-2015-2922" source="CVE"/>
<reference ref_id="CVE-2015-3636" ref_url="https://access.redhat.com/security/cve/CVE-2015-3636" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* An integer overflow flaw was found in the way the Linux kernel's
netfilter connection tracking implementation loaded extensions. An attacker
on a local network could potentially send a sequence of specially crafted
packets that would initiate the loading of a large number of extensions,
causing the targeted system in that network to crash. (CVE-2014-9715,
Moderate)
* A stack-based buffer overflow flaw was found in the Linux kernel's early
load microcode functionality. On a system with UEFI Secure Boot enabled, a
local, privileged user could use this flaw to increase their privileges to
the kernel (ring0) level, bypassing intended restrictions in place.
(CVE-2015-2666, Moderate)
* It was found that the Linux kernel's ping socket implementation did not
properly handle socket unhashing during spurious disconnects, which could
lead to a use-after-free flaw. On x86-64 architecture systems, a local user
able to create ping sockets could use this flaw to crash the system.
On non-x86-64 architecture systems, a local user able to create ping
sockets could use this flaw to escalate their privileges on the system.
(CVE-2015-3636, Moderate)
* It was found that the Linux kernel's TCP/IP protocol suite implementation
for IPv6 allowed the Hop Limit value to be set to a smaller value than the
default one. An attacker on a local network could use this flaw to prevent
systems on that network from sending or receiving network packets.
(CVE-2015-2922, Low)
Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715
issue.
The kernel-rt packages have been upgraded to version 3.10.0-229.11.1, which
provides a number of bug fixes and enhancements over the previous version,
including:
* drbg: Add stdrng alias and increase priority
* seqiv / eseqiv / chainiv: Move IV seeding into init function
* ipv4: kABI fix for 0bbf87d backport
* ipv4: Convert ipv4.ip_local_port_range to be per netns
* libceph: tcp_nodelay support
* ipr: Increase default adapter init stage change timeout
* fix use-after-free bug in usb_hcd_unlink_urb()
* libceph: fix double __remove_osd() problem
* ext4: fix data corruption caused by unwritten and delayed extents
* sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT
* nfs: Fixing lease renewal (Benjamin Coddington)
* control hard lockup detection default
* Fix print-once on enable
* watchdog: update watchdog_thresh properly and watchdog attributes
atomically
* module: Call module notifier on failure after complete_formation()
(BZ#1234470)
This update also fixes the following bugs:
* The megasas driver used the smp_processor_id() function within a
preemptible context, which caused warning messages to be returned to the
console. The function has been changed to raw_smp_processor_id() so that a
lock is held while getting the processor ID. As a result, correct
operations are now allowed without any console warnings being produced.
(BZ#1235304)
* In the NFSv4 file system, non-standard usage of the
write_seqcount_{begin,end}() functions were used, which caused the realtime
code to try to sleep while locks were held. As a consequence, the
"scheduling while atomic" error messages were returned. The underlying
source code has been modified to use the __write_seqcount_{begin,end}()
functions that do not hold any locks, allowing correct execution of
realtime. (BZ#1235301)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-03"/>
<updated date="2015-08-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9715">CVE-2014-9715</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2666">CVE-2015-2666</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2922">CVE-2015-2922</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3636">CVE-2015-3636</cve>
<bugzilla href="https://bugzilla.redhat.com/1203712" id="1203712">CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1204722" id="1204722">CVE-2015-2666 kernel: execution in the early microcode loader</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1208684" id="1208684">CVE-2014-9715 kernel: netfilter connection tracking extensions denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218074" id="1218074">CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1234470" id="1234470">kernel-rt: update to the RHEL7.1.z batch 4 source tree</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565009"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565011"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565017"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565021"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565007"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565013"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565019"/>
<criterion comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151565015"/>
<criterion comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151581" version="601">
<metadata>
<title>RHSA-2015:1581: firefox security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:1581-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1581.html" source="RHSA"/>
<reference ref_id="CVE-2015-4495" ref_url="https://access.redhat.com/security/cve/CVE-2015-4495" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
A flaw was discovered in Mozilla Firefox that could be used to violate the
same-origin policy and inject web script into a non-privileged part of the
built-in PDF file viewer (PDF.js). An attacker could create a malicious web
page that, when viewed by a victim, could steal arbitrary files (including
private SSH keys, the /etc/passwd file, and other potentially sensitive
files) from the system running Firefox. (CVE-2015-4495)
Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Cody Crews as the original reporter.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.1.1 ESR, which corrects this issue. After installing the
update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-07"/>
<updated date="2015-08-07"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4495">CVE-2015-4495</cve>
<bugzilla href="https://bugzilla.redhat.com/1251318" id="1251318">CVE-2015-4495 Mozilla: Same origin violation and local file stealing via PDF reader (MFSA 2015-78)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.1.1-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151581002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.1.1-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151581008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.1.1-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151581014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151586" version="601">
<metadata>
<title>RHSA-2015:1586: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1586-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1586.html" source="RHSA"/>
<reference ref_id="CVE-2015-4473" ref_url="https://access.redhat.com/security/cve/CVE-2015-4473" source="CVE"/>
<reference ref_id="CVE-2015-4475" ref_url="https://access.redhat.com/security/cve/CVE-2015-4475" source="CVE"/>
<reference ref_id="CVE-2015-4478" ref_url="https://access.redhat.com/security/cve/CVE-2015-4478" source="CVE"/>
<reference ref_id="CVE-2015-4479" ref_url="https://access.redhat.com/security/cve/CVE-2015-4479" source="CVE"/>
<reference ref_id="CVE-2015-4480" ref_url="https://access.redhat.com/security/cve/CVE-2015-4480" source="CVE"/>
<reference ref_id="CVE-2015-4484" ref_url="https://access.redhat.com/security/cve/CVE-2015-4484" source="CVE"/>
<reference ref_id="CVE-2015-4485" ref_url="https://access.redhat.com/security/cve/CVE-2015-4485" source="CVE"/>
<reference ref_id="CVE-2015-4486" ref_url="https://access.redhat.com/security/cve/CVE-2015-4486" source="CVE"/>
<reference ref_id="CVE-2015-4487" ref_url="https://access.redhat.com/security/cve/CVE-2015-4487" source="CVE"/>
<reference ref_id="CVE-2015-4488" ref_url="https://access.redhat.com/security/cve/CVE-2015-4488" source="CVE"/>
<reference ref_id="CVE-2015-4489" ref_url="https://access.redhat.com/security/cve/CVE-2015-4489" source="CVE"/>
<reference ref_id="CVE-2015-4491" ref_url="https://access.redhat.com/security/cve/CVE-2015-4491" source="CVE"/>
<reference ref_id="CVE-2015-4492" ref_url="https://access.redhat.com/security/cve/CVE-2015-4492" source="CVE"/>
<reference ref_id="CVE-2015-4493" ref_url="https://access.redhat.com/security/cve/CVE-2015-4493" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479,
CVE-2015-4480, CVE-2015-4493, CVE-2015-4484, CVE-2015-4491, CVE-2015-4485,
CVE-2015-4486, CVE-2015-4487, CVE-2015-4488, CVE-2015-4489, CVE-2015-4492)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Gary Kwong, Christian Holler, Byron Campen, Aki
Helin, André Bargull, Massimiliano Tomassoli, laf.intel, Massimiliano
Tomassoli, Tyson Smith, Jukka Jylänki, Gustavo Grieco, Abhishek Arya,
Ronald Crane, and Looben Yang as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.2 ESR, which corrects these issues. After installing the
update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-11"/>
<updated date="2015-08-11"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4473">CVE-2015-4473</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4475">CVE-2015-4475</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4478">CVE-2015-4478</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4479">CVE-2015-4479</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4480">CVE-2015-4480</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4484">CVE-2015-4484</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4485">CVE-2015-4485</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4486">CVE-2015-4486</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4487">CVE-2015-4487</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4488">CVE-2015-4488</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4489">CVE-2015-4489</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4491">CVE-2015-4491</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4492">CVE-2015-4492</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4493">CVE-2015-4493</cve>
<bugzilla href="https://bugzilla.redhat.com/1252271" id="1252271">CVE-2015-4473 Mozilla: Miscellaneous memory safety hazards (rv:38.2) (MFSA 2015-79)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252276" id="1252276">CVE-2015-4475 Mozilla: Out-of-bounds read with malformed MP3 file (MFSA 2015-80)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252282" id="1252282">CVE-2015-4478 Mozilla: Redefinition of non-configurable JavaScript object properties (MFSA 2015-82)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252285" id="1252285">CVE-2015-4479 CVE-2015-4480 CVE-2015-4493 Mozilla: Overflow issues in libstagefright (MFSA 2015-83)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252289" id="1252289">CVE-2015-4484 Mozilla: Crash when using shared memory in JavaScript (MFSA 2015-87)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252290" id="1252290">CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252292" id="1252292">CVE-2015-4485 CVE-2015-4486 Mozilla: Buffer overflows on Libvpx when decoding WebM video (MFSA 2015-89)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252293" id="1252293">CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-90)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252295" id="1252295">CVE-2015-4492 Mozilla: Use-after-free in XMLHttpRequest with shared workers (MFSA 2015-92)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.2.0-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151586002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.2.0-4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151586008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.2.0-4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151586014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151635" version="601">
<metadata>
<title>RHSA-2015:1635: sqlite security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1635-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1635.html" source="RHSA"/>
<reference ref_id="CVE-2015-3414" ref_url="https://access.redhat.com/security/cve/CVE-2015-3414" source="CVE"/>
<reference ref_id="CVE-2015-3415" ref_url="https://access.redhat.com/security/cve/CVE-2015-3415" source="CVE"/>
<reference ref_id="CVE-2015-3416" ref_url="https://access.redhat.com/security/cve/CVE-2015-3416" source="CVE"/>
<description>SQLite is a C library that implements an SQL database engine. A large
subset of SQL92 is supported. A complete database is stored in a single
disk file. The API is designed for convenience and ease of use.
Applications that link against SQLite can enjoy the power and flexibility
of an SQL database without the administrative hassles of supporting a
separate database server.
A flaw was found in the way SQLite handled dequoting of collation-sequence
names. A local attacker could submit a specially crafted COLLATE statement
that would crash the SQLite process, or have other unspecified impacts.
(CVE-2015-3414)
It was found that SQLite's sqlite3VdbeExec() function did not properly
implement comparison operators. A local attacker could submit a specially
crafted CHECK statement that would crash the SQLite process, or have other
unspecified impacts. (CVE-2015-3415)
It was found that SQLite's sqlite3VXPrintf() function did not properly
handle precision and width values during floating-point conversions.
A local attacker could submit a specially crafted SELECT statement that
would crash the SQLite process, or have other unspecified impacts.
(CVE-2015-3416)
All sqlite users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-17"/>
<updated date="2015-08-17"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3414">CVE-2015-3414</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3415">CVE-2015-3415</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3416">CVE-2015-3416</cve>
<bugzilla href="https://bugzilla.redhat.com/1212353" id="1212353">CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212356" id="1212356">CVE-2015-3415 sqlite: invalid free() in src/vdbe.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212357" id="1212357">CVE-2015-3416 sqlite: stack buffer overflow in src/printf.c</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="lemon is earlier than 0:3.7.17-6.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151635005"/>
<criterion comment="lemon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151635006"/>
</criteria>
<criteria operator="AND">
<criterion comment="sqlite is earlier than 0:3.7.17-6.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151635007"/>
<criterion comment="sqlite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151635008"/>
</criteria>
<criteria operator="AND">
<criterion comment="sqlite-devel is earlier than 0:3.7.17-6.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151635011"/>
<criterion comment="sqlite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151635012"/>
</criteria>
<criteria operator="AND">
<criterion comment="sqlite-doc is earlier than 0:3.7.17-6.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151635013"/>
<criterion comment="sqlite-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151635014"/>
</criteria>
<criteria operator="AND">
<criterion comment="sqlite-tcl is earlier than 0:3.7.17-6.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151635009"/>
<criterion comment="sqlite-tcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151635010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151636" version="601">
<metadata>
<title>RHSA-2015:1636: net-snmp security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1636-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1636.html" source="RHSA"/>
<reference ref_id="CVE-2015-5621" ref_url="https://access.redhat.com/security/cve/CVE-2015-5621" source="CVE"/>
<description>The net-snmp packages provide various libraries and tools for the Simple
Network Management Protocol (SNMP), including an SNMP library, an
extensible agent, tools for requesting or setting information from SNMP
agents, tools for generating and handling SNMP traps, a version of the
netstat command which uses SNMP, and a Tk/Perl Management Information Base
(MIB) browser.
It was discovered that the snmp_pdu_parse() function could leave
incompletely parsed varBind variables in the list of variables. A remote,
unauthenticated attacker could use this flaw to crash snmpd or,
potentially, execute arbitrary code on the system with the privileges of
the user running snmpd. (CVE-2015-5621)
Red Hat would like to thank Qinghao Tang of QIHU 360 company, China for
reporting this issue.
All net-snmp users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-17"/>
<updated date="2015-08-17"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5621">CVE-2015-5621</cve>
<bugzilla href="https://bugzilla.redhat.com/1212408" id="1212408">CVE-2015-5621 net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="net-snmp is earlier than 1:5.5-54.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151636007"/>
<criterion comment="net-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636008"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-devel is earlier than 1:5.5-54.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151636011"/>
<criterion comment="net-snmp-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636012"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-libs is earlier than 1:5.5-54.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151636009"/>
<criterion comment="net-snmp-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636010"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-perl is earlier than 1:5.5-54.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151636015"/>
<criterion comment="net-snmp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636016"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-python is earlier than 1:5.5-54.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151636013"/>
<criterion comment="net-snmp-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636014"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-utils is earlier than 1:5.5-54.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151636005"/>
<criterion comment="net-snmp-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636006"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="net-snmp is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636021"/>
<criterion comment="net-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636008"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-agent-libs is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636025"/>
<criterion comment="net-snmp-agent-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636026"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-devel is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636032"/>
<criterion comment="net-snmp-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636012"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-gui is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636029"/>
<criterion comment="net-snmp-gui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636030"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-libs is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636031"/>
<criterion comment="net-snmp-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636010"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-perl is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636027"/>
<criterion comment="net-snmp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636016"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-python is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636028"/>
<criterion comment="net-snmp-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636014"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-sysvinit is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636023"/>
<criterion comment="net-snmp-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636024"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-utils is earlier than 1:5.7.2-20.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151636022"/>
<criterion comment="net-snmp-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636006"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151640" version="601">
<metadata>
<title>RHSA-2015:1640: pam security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1640-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1640.html" source="RHSA"/>
<reference ref_id="CVE-2015-3238" ref_url="https://access.redhat.com/security/cve/CVE-2015-3238" source="CVE"/>
<description>Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs to handle authentication.
It was discovered that the _unix_run_helper_binary() function of PAM's
unix_pam module could write to a blocking pipe, possibly causing the
function to become unresponsive. An attacker able to supply large passwords
to the unix_pam module could use this flaw to enumerate valid user
accounts, or cause a denial of service on the system. (CVE-2015-3238)
Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs for
reporting this issue.
All pam users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-18"/>
<updated date="2015-08-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3238">CVE-2015-3238</cve>
<bugzilla href="https://bugzilla.redhat.com/1228571" id="1228571">CVE-2015-3238 pam: DoS/user enumeration due to blocking pipe in pam_unix module</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pam is earlier than 0:1.1.1-20.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151640005"/>
<criterion comment="pam is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151640006"/>
</criteria>
<criteria operator="AND">
<criterion comment="pam-devel is earlier than 0:1.1.1-20.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151640007"/>
<criterion comment="pam-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151640008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pam is earlier than 0:1.1.8-12.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151640013"/>
<criterion comment="pam is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151640006"/>
</criteria>
<criteria operator="AND">
<criterion comment="pam-devel is earlier than 0:1.1.8-12.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151640014"/>
<criterion comment="pam-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151640008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151665" version="602">
<metadata>
<title>RHSA-2015:1665: mariadb security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1665-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1665.html" source="RHSA"/>
<reference ref_id="CVE-2015-0433" ref_url="https://access.redhat.com/security/cve/CVE-2015-0433" source="CVE"/>
<reference ref_id="CVE-2015-0441" ref_url="https://access.redhat.com/security/cve/CVE-2015-0441" source="CVE"/>
<reference ref_id="CVE-2015-0499" ref_url="https://access.redhat.com/security/cve/CVE-2015-0499" source="CVE"/>
<reference ref_id="CVE-2015-0501" ref_url="https://access.redhat.com/security/cve/CVE-2015-0501" source="CVE"/>
<reference ref_id="CVE-2015-0505" ref_url="https://access.redhat.com/security/cve/CVE-2015-0505" source="CVE"/>
<reference ref_id="CVE-2015-2568" ref_url="https://access.redhat.com/security/cve/CVE-2015-2568" source="CVE"/>
<reference ref_id="CVE-2015-2571" ref_url="https://access.redhat.com/security/cve/CVE-2015-2571" source="CVE"/>
<reference ref_id="CVE-2015-2573" ref_url="https://access.redhat.com/security/cve/CVE-2015-2573" source="CVE"/>
<reference ref_id="CVE-2015-2582" ref_url="https://access.redhat.com/security/cve/CVE-2015-2582" source="CVE"/>
<reference ref_id="CVE-2015-2620" ref_url="https://access.redhat.com/security/cve/CVE-2015-2620" source="CVE"/>
<reference ref_id="CVE-2015-2643" ref_url="https://access.redhat.com/security/cve/CVE-2015-2643" source="CVE"/>
<reference ref_id="CVE-2015-2648" ref_url="https://access.redhat.com/security/cve/CVE-2015-2648" source="CVE"/>
<reference ref_id="CVE-2015-3152" ref_url="https://access.redhat.com/security/cve/CVE-2015-3152" source="CVE"/>
<reference ref_id="CVE-2015-4737" ref_url="https://access.redhat.com/security/cve/CVE-2015-4737" source="CVE"/>
<reference ref_id="CVE-2015-4752" ref_url="https://access.redhat.com/security/cve/CVE-2015-4752" source="CVE"/>
<reference ref_id="CVE-2015-4757" ref_url="https://access.redhat.com/security/cve/CVE-2015-4757" source="CVE"/>
<reference ref_id="CVE-2015-4864" ref_url="https://access.redhat.com/security/cve/CVE-2015-4864" source="CVE"/>
<description>MariaDB is a multi-user, multi-threaded SQL database server that is binary
compatible with MySQL.
It was found that the MySQL client library permitted but did not require a
client to use SSL/TLS when establishing a secure connection to a MySQL
server using the "--ssl" option. A man-in-the-middle attacker could use
this flaw to strip the SSL/TLS protection from a connection between a
client and a server. (CVE-2015-3152)
This update fixes several vulnerabilities in the MariaDB database server.
Information about these flaws can be found on the Oracle Critical Patch
Update Advisory page, listed in the References section. (CVE-2015-0501,
CVE-2015-2568, CVE-2015-0499, CVE-2015-2571, CVE-2015-0433, CVE-2015-0441,
CVE-2015-0505, CVE-2015-2573, CVE-2015-2582, CVE-2015-2620, CVE-2015-2643,
CVE-2015-2648, CVE-2015-4737, CVE-2015-4752, CVE-2015-4757)
These updated packages upgrade MariaDB to version 5.5.44. Refer to the
MariaDB Release Notes listed in the References section for a complete list
of changes.
All MariaDB users should upgrade to these updated packages, which correct
these issues. After installing this update, the MariaDB server daemon
(mysqld) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-24"/>
<updated date="2015-08-24"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0433">CVE-2015-0433</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0441">CVE-2015-0441</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0499">CVE-2015-0499</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0501">CVE-2015-0501</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0505">CVE-2015-0505</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2568">CVE-2015-2568</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2571">CVE-2015-2571</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2573">CVE-2015-2573</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2582">CVE-2015-2582</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2620">CVE-2015-2620</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2643">CVE-2015-2643</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2648">CVE-2015-2648</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3152">CVE-2015-3152</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4737">CVE-2015-4737</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4752">CVE-2015-4752</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4757">CVE-2015-4757</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4864">CVE-2015-4864</cve>
<bugzilla href="https://bugzilla.redhat.com/1212758" id="1212758">CVE-2015-0501 mysql: unspecified vulnerability related to Server:Compiling (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212763" id="1212763">CVE-2015-2568 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212768" id="1212768">CVE-2015-0499 mysql: unspecified vulnerability related to Server:Federated (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212772" id="1212772">CVE-2015-2571 mysql: unspecified vulnerability related to Server:Optimizer (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212776" id="1212776">CVE-2015-0433 mysql: unspecified vulnerability related to Server:InnoDB:DML (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212777" id="1212777">CVE-2015-0441 mysql: unspecified vulnerability related to Server:Security:Encryption (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212780" id="1212780">CVE-2015-0505 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212783" id="1212783">CVE-2015-2573 mysql: unspecified vulnerability related to Server:DDL (CPU April 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1217506" id="1217506">CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244768" id="1244768">CVE-2015-2582 mysql: unspecified vulnerability related to Server:GIS (CPU July 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244771" id="1244771">CVE-2015-2620 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU July 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244774" id="1244774">CVE-2015-2643 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244775" id="1244775">CVE-2015-2648 mysql: unspecified vulnerability related to Server:DML (CPU July 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244778" id="1244778">CVE-2015-4737 mysql: unspecified vulnerability related to Server:Pluggable Auth (CPU July 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244779" id="1244779">CVE-2015-4752 mysql: unspecified vulnerability related to Server:I_S (CPU July 2015)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244781" id="1244781">CVE-2015-4757 mysql: unspecified vulnerability related to Server:Optimizer (CPU July 2015)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mariadb is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665007"/>
<criterion comment="mariadb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702006"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-bench is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665019"/>
<criterion comment="mariadb-bench is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-devel is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665013"/>
<criterion comment="mariadb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702018"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665009"/>
<criterion comment="mariadb-embedded is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702014"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-embedded-devel is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665015"/>
<criterion comment="mariadb-embedded-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-libs is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665017"/>
<criterion comment="mariadb-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-server is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665011"/>
<criterion comment="mariadb-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702020"/>
</criteria>
<criteria operator="AND">
<criterion comment="mariadb-test is earlier than 1:5.5.44-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151665005"/>
<criterion comment="mariadb-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140702016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151667" version="601">
<metadata>
<title>RHSA-2015:1667: httpd security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1667-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1667.html" source="RHSA"/>
<reference ref_id="CVE-2015-3183" ref_url="https://access.redhat.com/security/cve/CVE-2015-3183" source="CVE"/>
<reference ref_id="CVE-2015-3185" ref_url="https://access.redhat.com/security/cve/CVE-2015-3185" source="CVE"/>
<description>The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.
Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could use
these flaws to create a specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it, possibly leading to
HTTP request smuggling attacks. (CVE-2015-3183)
It was discovered that in httpd 2.4, the internal API function
ap_some_auth_required() could incorrectly indicate that a request was
authenticated even when no authentication was used. An httpd module using
this API function could consequently allow access that should have been
denied. (CVE-2015-3185)
All httpd users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, the httpd service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-24"/>
<updated date="2015-08-24"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3183">CVE-2015-3183</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3185">CVE-2015-3185</cve>
<bugzilla href="https://bugzilla.redhat.com/1243887" id="1243887">CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243888" id="1243888">CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="httpd is earlier than 0:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667007"/>
<criterion comment="httpd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921006"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-devel is earlier than 0:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667005"/>
<criterion comment="httpd-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921014"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-manual is earlier than 0:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667019"/>
<criterion comment="httpd-manual is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921018"/>
</criteria>
<criteria operator="AND">
<criterion comment="httpd-tools is earlier than 0:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667017"/>
<criterion comment="httpd-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921012"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_ldap is earlier than 0:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667011"/>
<criterion comment="mod_ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921010"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_proxy_html is earlier than 1:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667015"/>
<criterion comment="mod_proxy_html is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921008"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_session is earlier than 0:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667013"/>
<criterion comment="mod_session is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921016"/>
</criteria>
<criteria operator="AND">
<criterion comment="mod_ssl is earlier than 1:2.4.6-31.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151667009"/>
<criterion comment="mod_ssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140921020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151682" version="601">
<metadata>
<title>RHSA-2015:1682: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1682-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1682.html" source="RHSA"/>
<reference ref_id="CVE-2015-4473" ref_url="https://access.redhat.com/security/cve/CVE-2015-4473" source="CVE"/>
<reference ref_id="CVE-2015-4487" ref_url="https://access.redhat.com/security/cve/CVE-2015-4487" source="CVE"/>
<reference ref_id="CVE-2015-4488" ref_url="https://access.redhat.com/security/cve/CVE-2015-4488" source="CVE"/>
<reference ref_id="CVE-2015-4489" ref_url="https://access.redhat.com/security/cve/CVE-2015-4489" source="CVE"/>
<reference ref_id="CVE-2015-4491" ref_url="https://access.redhat.com/security/cve/CVE-2015-4491" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-4473, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488,
CVE-2015-4489)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message because JavaScript is disabled by default for mail
messages. However, they could be exploited in other ways in Thunderbird
(for example, by viewing the full remote content of an RSS feed).
Red Hat would like to thank the Mozilla project for reporting these
issues. Upstream acknowledges Gary Kwong, Christian Holler, Byron Campen,
Gustavo Grieco, and Ronald Crane as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.2. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.2, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-25"/>
<updated date="2015-08-25"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4473">CVE-2015-4473</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4487">CVE-2015-4487</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4488">CVE-2015-4488</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4489">CVE-2015-4489</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4491">CVE-2015-4491</cve>
<bugzilla href="https://bugzilla.redhat.com/1252271" id="1252271">CVE-2015-4473 Mozilla: Miscellaneous memory safety hazards (rv:38.2) (MFSA 2015-79)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252290" id="1252290">CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252293" id="1252293">CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-90)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:38.2.0-4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151682002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.2.0-4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151682008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.2.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151682014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151693" version="601">
<metadata>
<title>RHSA-2015:1693: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:1693-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1693.html" source="RHSA"/>
<reference ref_id="CVE-2015-4497" ref_url="https://access.redhat.com/security/cve/CVE-2015-4497" source="CVE"/>
<reference ref_id="CVE-2015-4498" ref_url="https://access.redhat.com/security/cve/CVE-2015-4498" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
A flaw was found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
(CVE-2015-4497)
A flaw was found in the way Firefox handled installation of add-ons.
An attacker could use this flaw to bypass the add-on installation prompt,
and trick the user inso installing an add-on from a malicious source.
(CVE-2015-4498)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as
the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.2.1 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-27"/>
<updated date="2015-08-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4497">CVE-2015-4497</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4498">CVE-2015-4498</cve>
<bugzilla href="https://bugzilla.redhat.com/1257276" id="1257276">CVE-2015-4497 Mozilla: Use-after-free when resizing canvas element during restyling (MFSA 2015-94)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1257278" id="1257278">CVE-2015-4498 Mozilla: Add-on notification bypass through data URLs (MFSA 2015-95)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.2.1-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151693002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.2.1-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151693008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.2.1-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151693014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151694" version="601">
<metadata>
<title>RHSA-2015:1694: gdk-pixbuf2 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1694-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1694.html" source="RHSA"/>
<reference ref_id="CVE-2015-4491" ref_url="https://access.redhat.com/security/cve/CVE-2015-4491" source="CVE"/>
<description>gdk-pixbuf is an image loading library that can be extended by loadable
modules for new image formats. It is used by toolkits such as GTK+ or
clutter.
An integer overflow, leading to a heap-based buffer overflow, was found in
the way gdk-pixbuf, an image loading library for GNOME, scaled certain
bitmap format images. An attacker could use a specially crafted BMP image
file that, when processed by an application compiled against the gdk-pixbuf
library, would cause that application to crash or execute arbitrary code
with the permissions of the user running the application. (CVE-2015-4491)
Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Gustavo Grieco as the original reporter.
All gdk-pixbuf2 users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-31"/>
<updated date="2015-08-31"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4491">CVE-2015-4491</cve>
<bugzilla href="https://bugzilla.redhat.com/1252290" id="1252290">CVE-2015-4491 Mozilla: Heap overflow in gdk-pixbuf when scaling bitmap images (MFSA 2015-88)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="gdk-pixbuf2 is earlier than 0:2.24.1-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151694005"/>
<criterion comment="gdk-pixbuf2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151694006"/>
</criteria>
<criteria operator="AND">
<criterion comment="gdk-pixbuf2-devel is earlier than 0:2.24.1-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151694007"/>
<criterion comment="gdk-pixbuf2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151694008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="gdk-pixbuf2 is earlier than 0:2.28.2-5.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151694014"/>
<criterion comment="gdk-pixbuf2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151694006"/>
</criteria>
<criteria operator="AND">
<criterion comment="gdk-pixbuf2-devel is earlier than 0:2.28.2-5.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151694013"/>
<criterion comment="gdk-pixbuf2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151694008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151695" version="601">
<metadata>
<title>RHSA-2015:1695: jakarta-taglibs-standard security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1695-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1695.html" source="RHSA"/>
<reference ref_id="CVE-2015-0254" ref_url="https://access.redhat.com/security/cve/CVE-2015-0254" source="CVE"/>
<description>jakarta-taglibs-standard is the Java Standard Tag Library (JSTL).
This library is used in conjunction with Tomcat and Java Server Pages
(JSP).
It was found that the Java Standard Tag Library (JSTL) allowed the
processing of untrusted XML documents to utilize external entity
references, which could access resources on the host system and,
potentially, allowing arbitrary code execution. (CVE-2015-0254)
Note: jakarta-taglibs-standard users may need to take additional steps
after applying this update. Detailed instructions on the additional steps
can be found here:
https://access.redhat.com/solutions/1584363
All jakarta-taglibs-standard users are advised to upgrade to these updated
packages, which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-31"/>
<updated date="2015-08-31"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0254">CVE-2015-0254</cve>
<bugzilla href="https://bugzilla.redhat.com/1198606" id="1198606">CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jakarta-taglibs-standard is earlier than 0:1.1.1-11.7.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151695007"/>
<criterion comment="jakarta-taglibs-standard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151695008"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-taglibs-standard-javadoc is earlier than 0:1.1.1-11.7.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151695005"/>
<criterion comment="jakarta-taglibs-standard-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151695006"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="jakarta-taglibs-standard is earlier than 0:1.1.2-14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151695014"/>
<criterion comment="jakarta-taglibs-standard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151695008"/>
</criteria>
<criteria operator="AND">
<criterion comment="jakarta-taglibs-standard-javadoc is earlier than 0:1.1.2-14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151695013"/>
<criterion comment="jakarta-taglibs-standard-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151695006"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151699" version="601">
<metadata>
<title>RHSA-2015:1699: nss-softokn security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1699-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1699.html" source="RHSA"/>
<reference ref_id="CVE-2015-2730" ref_url="https://access.redhat.com/security/cve/CVE-2015-2730" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications.
A flaw was found in the way NSS verified certain ECDSA (Elliptic Curve
Digital Signature Algorithm) signatures. Under certain conditions, an
attacker could use this flaw to conduct signature forgery attacks.
(CVE-2015-2730)
Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Watson Ladd as the original reporter of this issue.
All nss-softokn users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-01"/>
<updated date="2015-09-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2730">CVE-2015-2730</cve>
<bugzilla href="https://bugzilla.redhat.com/1236954" id="1236954">CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-softokn is earlier than 0:3.14.3-23.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151699007"/>
<criterion comment="nss-softokn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073010"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-devel is earlier than 0:3.14.3-23.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151699005"/>
<criterion comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073014"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl is earlier than 0:3.14.3-23.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151699009"/>
<criterion comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073016"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl-devel is earlier than 0:3.14.3-23.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151699011"/>
<criterion comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss-softokn is earlier than 0:3.16.2.3-13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151699017"/>
<criterion comment="nss-softokn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073010"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-devel is earlier than 0:3.16.2.3-13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151699019"/>
<criterion comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073014"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl is earlier than 0:3.16.2.3-13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151699018"/>
<criterion comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073016"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-softokn-freebl-devel is earlier than 0:3.16.2.3-13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151699020"/>
<criterion comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151700" version="602">
<metadata>
<title>RHSA-2015:1700: pcs security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1700-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1700.html" source="RHSA"/>
<reference ref_id="CVE-2015-5189" ref_url="https://access.redhat.com/security/cve/CVE-2015-5189" source="CVE"/>
<reference ref_id="CVE-2015-5190" ref_url="https://access.redhat.com/security/cve/CVE-2015-5190" source="CVE"/>
<description>The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.
A command injection flaw was found in the pcsd web UI. An attacker able to
trick a victim that was logged in to the pcsd web UI into visiting a
specially crafted URL could use this flaw to execute arbitrary code with
root privileges on the server hosting the web UI. (CVE-2015-5190)
A race condition was found in the way the pcsd web UI backend performed
authorization of user requests. An attacker could use this flaw to send a
request that would be evaluated as originating from a different user,
potentially allowing the attacker to perform actions with permissions of a
more privileged user. (CVE-2015-5189)
These issues were discovered by Tomáš Jelínek of Red Hat.
All pcs users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-01"/>
<updated date="2015-09-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5189">CVE-2015-5189</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5190">CVE-2015-5190</cve>
<bugzilla href="https://bugzilla.redhat.com/1252805" id="1252805">CVE-2015-5189 pcs: Incorrect authorization when using pcs web UI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252813" id="1252813">CVE-2015-5190 pcs: Command injection with root privileges.</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pcs is earlier than 0:0.9.139-9.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151700005"/>
<criterion comment="pcs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150980006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pcs is earlier than 0:0.9.137-13.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20151700013"/>
<criterion comment="pcs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150980006"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-clufter is earlier than 0:0.9.137-13.el7_1.4" test_ref="oval:com.redhat.rhsa:tst:20151700011"/>
<criterion comment="python-clufter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150980008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151705" version="601">
<metadata>
<title>RHSA-2015:1705: bind security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1705-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1705.html" source="RHSA"/>
<reference ref_id="CVE-2015-5722" ref_url="https://access.redhat.com/security/cve/CVE-2015-5722" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A denial of service flaw was found in the way BIND parsed certain malformed
DNSSEC keys. A remote attacker could use this flaw to send a specially
crafted DNS query (for example, a query requiring a response from a zone
containing a deliberately malformed key) that would cause named functioning
as a validating resolver to crash. (CVE-2015-5722)
Red Hat would like to thank ISC for reporting this issue. Upstream
acknowledges Hanno Böck as the original reporter.
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-03"/>
<updated date="2015-09-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5722">CVE-2015-5722</cve>
<bugzilla href="https://bugzilla.redhat.com/1259087" id="1259087">CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20151705011"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20151705007"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20151705015"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20151705009"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20151705005"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20151705013"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705027"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705030"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705032"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705026"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705021"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705033"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705028"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705025"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705023"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-18.el7_1.5" test_ref="oval:com.redhat.rhsa:tst:20151705031"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151708" version="601">
<metadata>
<title>RHSA-2015:1708: libXfont security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1708-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1708.html" source="RHSA"/>
<reference ref_id="CVE-2015-1802" ref_url="https://access.redhat.com/security/cve/CVE-2015-1802" source="CVE"/>
<reference ref_id="CVE-2015-1803" ref_url="https://access.redhat.com/security/cve/CVE-2015-1803" source="CVE"/>
<reference ref_id="CVE-2015-1804" ref_url="https://access.redhat.com/security/cve/CVE-2015-1804" source="CVE"/>
<description>The libXfont package provides the X.Org libXfont runtime library. X.Org is
an open source implementation of the X Window System.
An integer overflow flaw was found in the way libXfont processed certain
Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could
use this flaw to crash the X.Org server or, potentially, execute arbitrary
code with the privileges of the X.Org server. (CVE-2015-1802)
An integer truncation flaw was discovered in the way libXfont processed
certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local
user could use this flaw to crash the X.Org server or, potentially, execute
arbitrary code with the privileges of the X.Org server. (CVE-2015-1804)
A NULL pointer dereference flaw was discovered in the way libXfont
processed certain Glyph Bitmap Distribution Format (BDF) fonts.
A malicious, local user could use this flaw to crash the X.Org server.
(CVE-2015-1803)
All libXfont users are advised to upgrade to this updated package, which
contains backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-03"/>
<updated date="2015-09-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1802">CVE-2015-1802</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1803">CVE-2015-1803</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1804">CVE-2015-1804</cve>
<bugzilla href="https://bugzilla.redhat.com/1203715" id="1203715">CVE-2015-1802 libXfont: missing range check in bdfReadProperties</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203718" id="1203718">CVE-2015-1803 libXfont: crash on invalid read in bdfReadCharacters</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203719" id="1203719">CVE-2015-1804 libXfont: out-of-bounds memory access in bdfReadCharacters</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libXfont is earlier than 0:1.4.5-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151708005"/>
<criterion comment="libXfont is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libXfont-devel is earlier than 0:1.4.5-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151708007"/>
<criterion comment="libXfont-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libXfont is earlier than 0:1.4.7-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151708013"/>
<criterion comment="libXfont is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libXfont-devel is earlier than 0:1.4.7-3.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151708014"/>
<criterion comment="libXfont-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141870008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151714" version="601">
<metadata>
<title>RHSA-2015:1714: spice security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1714-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1714.html" source="RHSA"/>
<reference ref_id="CVE-2015-3247" ref_url="https://access.redhat.com/security/cve/CVE-2015-3247" source="CVE"/>
<description>The Simple Protocol for Independent Computing Environments (SPICE) is a
remote display protocol for virtual environments. SPICE users can access a
virtualized desktop or server from the local system or any system with
network access to the server. SPICE is used in Red Hat Enterprise Linux for
viewing virtualized guests running on the Kernel-based Virtual Machine
(KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.
A race condition flaw, leading to a heap-based memory corruption, was found
in spice's worker_update_monitors_config() function, which runs under the
QEMU-KVM context on the host. A user in a guest could leverage this flaw to
crash the host QEMU-KVM process or, possibly, execute arbitrary code with
the privileges of the host QEMU-KVM process. (CVE-2015-3247)
This issue was discovered by Frediano Ziglio of Red Hat.
All spice users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-03"/>
<updated date="2015-09-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3247">CVE-2015-3247</cve>
<bugzilla href="https://bugzilla.redhat.com/1233238" id="1233238">CVE-2015-3247 spice: memory corruption in worker_update_monitors_config()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="spice is earlier than 0:0.12.4-9.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151714009"/>
<criterion comment="spice is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151714010"/>
</criteria>
<criteria operator="AND">
<criterion comment="spice-server is earlier than 0:0.12.4-9.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151714005"/>
<criterion comment="spice-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151714006"/>
</criteria>
<criteria operator="AND">
<criterion comment="spice-server-devel is earlier than 0:0.12.4-9.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151714007"/>
<criterion comment="spice-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151714008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151741" version="601">
<metadata>
<title>RHSA-2015:1741: haproxy security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1741-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1741.html" source="RHSA"/>
<reference ref_id="CVE-2015-3281" ref_url="https://access.redhat.com/security/cve/CVE-2015-3281" source="CVE"/>
<description>HAProxy provides high availability, load balancing, and proxying for TCP
and HTTP-based applications.
An implementation error related to the memory management of request and
responses was found within HAProxy's buffer_slow_realign() function.
An unauthenticated remote attacker could possibly use this flaw to leak
certain memory buffer contents from a past request or session.
(CVE-2015-3281)
All haproxy users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-08"/>
<updated date="2015-09-08"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3281">CVE-2015-3281</cve>
<bugzilla href="https://bugzilla.redhat.com/1239072" id="1239072">CVE-2015-3281 haproxy: information leak in buffer_slow_realign()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="haproxy is earlier than 0:1.5.4-2.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20151741005"/>
<criterion comment="haproxy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141292006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="haproxy is earlier than 0:1.5.4-4.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151741011"/>
<criterion comment="haproxy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141292006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151742" version="601">
<metadata>
<title>RHSA-2015:1742: subversion security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1742-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1742.html" source="RHSA"/>
<reference ref_id="CVE-2015-0248" ref_url="https://access.redhat.com/security/cve/CVE-2015-0248" source="CVE"/>
<reference ref_id="CVE-2015-0251" ref_url="https://access.redhat.com/security/cve/CVE-2015-0251" source="CVE"/>
<reference ref_id="CVE-2015-3184" ref_url="https://access.redhat.com/security/cve/CVE-2015-3184" source="CVE"/>
<reference ref_id="CVE-2015-3187" ref_url="https://access.redhat.com/security/cve/CVE-2015-3187" source="CVE"/>
<description>Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. The
mod_dav_svn module is used with the Apache HTTP Server to allow access
to Subversion repositories via HTTP.
An assertion failure flaw was found in the way the SVN server processed
certain requests with dynamically evaluated revision numbers. A remote
attacker could use this flaw to cause the SVN server (both svnserve and
httpd with the mod_dav_svn module) to crash. (CVE-2015-0248)
It was found that the mod_authz_svn module did not properly restrict
anonymous access to Subversion repositories under certain configurations
when used with Apache httpd 2.4.x. This could allow a user to anonymously
access files in a Subversion repository, which should only be accessible to
authenticated users. (CVE-2015-3184)
It was found that the mod_dav_svn module did not properly validate the
svn:author property of certain requests. An attacker able to create new
revisions could use this flaw to spoof the svn:author property.
(CVE-2015-0251)
It was found that when an SVN server (both svnserve and httpd with the
mod_dav_svn module) searched the history of a file or a directory, it would
disclose its location in the repository if that file or directory was not
readable (for example, if it had been moved). (CVE-2015-3187)
Red Hat would like to thank the Apache Software Foundation for reporting
these issues. Upstream acknowledges Evgeny Kotkov of VisualSVN as the
original reporter of CVE-2015-0248 and CVE-2015-0251, and C. Michael
Pilato of CollabNet as the original reporter of CVE-2015-3184 and
CVE-2015-3187 flaws.
All subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, for the update to take effect, you must restart the httpd
daemon, if you are using mod_dav_svn, and the svnserve daemon, if you are
serving Subversion repositories via the svn:// protocol.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-08"/>
<updated date="2015-09-08"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0248">CVE-2015-0248</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0251">CVE-2015-0251</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3184">CVE-2015-3184</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3187">CVE-2015-3187</cve>
<bugzilla href="https://bugzilla.redhat.com/1205138" id="1205138">CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205140" id="1205140">CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1247249" id="1247249">CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1247252" id="1247252">CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="mod_dav_svn is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742009"/>
<criterion comment="mod_dav_svn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166016"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742021"/>
<criterion comment="subversion is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166006"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-devel is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742005"/>
<criterion comment="subversion-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166026"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-gnome is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742019"/>
<criterion comment="subversion-gnome is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166018"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-javahl is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742013"/>
<criterion comment="subversion-javahl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166020"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-kde is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742023"/>
<criterion comment="subversion-kde is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166008"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-libs is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742015"/>
<criterion comment="subversion-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166014"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-perl is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742011"/>
<criterion comment="subversion-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166024"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-python is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742025"/>
<criterion comment="subversion-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166012"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-ruby is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742017"/>
<criterion comment="subversion-ruby is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166010"/>
</criteria>
<criteria operator="AND">
<criterion comment="subversion-tools is earlier than 0:1.7.14-7.el7_1.1" test_ref="oval:com.redhat.rhsa:tst:20151742007"/>
<criterion comment="subversion-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150166022"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151778" version="601">
<metadata>
<title>RHSA-2015:1778: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1778-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1778.html" source="RHSA"/>
<reference ref_id="CVE-2014-9585" ref_url="https://access.redhat.com/security/cve/CVE-2014-9585" source="CVE"/>
<reference ref_id="CVE-2015-0275" ref_url="https://access.redhat.com/security/cve/CVE-2015-0275" source="CVE"/>
<reference ref_id="CVE-2015-1333" ref_url="https://access.redhat.com/security/cve/CVE-2015-1333" source="CVE"/>
<reference ref_id="CVE-2015-3212" ref_url="https://access.redhat.com/security/cve/CVE-2015-3212" source="CVE"/>
<reference ref_id="CVE-2015-4700" ref_url="https://access.redhat.com/security/cve/CVE-2015-4700" source="CVE"/>
<reference ref_id="CVE-2015-5364" ref_url="https://access.redhat.com/security/cve/CVE-2015-5364" source="CVE"/>
<reference ref_id="CVE-2015-5366" ref_url="https://access.redhat.com/security/cve/CVE-2015-5366" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the kernel's implementation of the Berkeley Packet
Filter (BPF). A local attacker could craft BPF code to crash the system by
creating a situation in which the JIT compiler would fail to correctly
optimize the JIT image on the last pass. This would lead to the CPU
executing instructions that were not part of the JIT code. (CVE-2015-4700,
Important)
* Two flaws were found in the way the Linux kernel's networking
implementation handled UDP packets with incorrect checksum values. A remote
attacker could potentially use these flaws to trigger an infinite loop in
the kernel, resulting in a denial of service on the system, or cause a
denial of service in applications using the edge triggered epoll
functionality. (CVE-2015-5364, CVE-2015-5366, Important)
* A flaw was found in the way the Linux kernel's ext4 file system handled
the "page size > block size" condition when the fallocate zero range
functionality was used. A local attacker could use this flaw to crash the
system. (CVE-2015-0275, Moderate)
* It was found that the Linux kernel's keyring implementation would leak
memory when adding a key to a keyring via the add_key() function. A local
attacker could use this flaw to exhaust all available memory on the system.
(CVE-2015-1333, Moderate)
* A race condition flaw was found in the way the Linux kernel's SCTP
implementation handled Address Configuration lists when performing Address
Configuration Change (ASCONF). A local attacker could use this flaw to
crash the system via a race condition triggered by setting certain ASCONF
options on a socket. (CVE-2015-3212, Moderate)
* An information leak flaw was found in the way the Linux kernel's Virtual
Dynamic Shared Object (vDSO) implementation performed address
randomization. A local, unprivileged user could use this flaw to leak
kernel memory addresses to user-space. (CVE-2014-9585, Low)
Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700,
and Canonical for reporting the CVE-2015-1333 issue. The CVE-2015-0275
issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue
was discovered by Ji Jianwen of Red Hat Engineering.
This update also fixes several bugs. Refer to the following Knowledgebase
article for further information:
https://access.redhat.com/articles/1614563
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-15"/>
<updated date="2015-09-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9585">CVE-2014-9585</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0275">CVE-2015-0275</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1333">CVE-2015-1333</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3212">CVE-2015-3212</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4700">CVE-2015-4700</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5364">CVE-2015-5364</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5366">CVE-2015-5366</cve>
<bugzilla href="https://bugzilla.redhat.com/1181054" id="1181054">CVE-2014-9585 kernel: ASLR bruteforce possible for vdso library</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1193907" id="1193907">CVE-2015-0275 kernel: fs: ext4: fallocate zero range page size > block size BUG()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1226442" id="1226442">CVE-2015-3212 kernel: SCTP race condition allows list corruption and panic from userlevel</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1233615" id="1233615">CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1239029" id="1239029">CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1245658" id="1245658">CVE-2015-1333 kernel: denial of service due to memory leak in add_key()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778011"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778007"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778027"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778025"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778015"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778017"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778005"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778021"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778013"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778019"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778031"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778033"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778029"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778009"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.14.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151778023"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151788" version="601">
<metadata>
<title>RHSA-2015:1788: kernel-rt security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1788-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1788.html" source="RHSA"/>
<reference ref_id="CVE-2014-9585" ref_url="https://access.redhat.com/security/cve/CVE-2014-9585" source="CVE"/>
<reference ref_id="CVE-2015-0275" ref_url="https://access.redhat.com/security/cve/CVE-2015-0275" source="CVE"/>
<reference ref_id="CVE-2015-1333" ref_url="https://access.redhat.com/security/cve/CVE-2015-1333" source="CVE"/>
<reference ref_id="CVE-2015-3212" ref_url="https://access.redhat.com/security/cve/CVE-2015-3212" source="CVE"/>
<reference ref_id="CVE-2015-4700" ref_url="https://access.redhat.com/security/cve/CVE-2015-4700" source="CVE"/>
<reference ref_id="CVE-2015-5364" ref_url="https://access.redhat.com/security/cve/CVE-2015-5364" source="CVE"/>
<reference ref_id="CVE-2015-5366" ref_url="https://access.redhat.com/security/cve/CVE-2015-5366" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the kernel's implementation of the Berkeley Packet
Filter (BPF). A local attacker could craft BPF code to crash the system by
creating a situation in which the JIT compiler would fail to correctly
optimize the JIT image on the last pass. This would lead to the CPU
executing instructions that were not part of the JIT code. (CVE-2015-4700,
Important)
* Two flaws were found in the way the Linux kernel's networking
implementation handled UDP packets with incorrect checksum values. A remote
attacker could potentially use these flaws to trigger an infinite loop in
the kernel, resulting in a denial of service on the system, or cause a
denial of service in applications using the edge triggered epoll
functionality. (CVE-2015-5364, CVE-2015-5366, Important)
* A flaw was found in the way the Linux kernel's ext4 file system handled
the "page size > block size" condition when the fallocate zero range
functionality was used. A local attacker could use this flaw to crash the
system. (CVE-2015-0275, Moderate)
* It was found that the Linux kernel's keyring implementation would leak
memory when adding a key to a keyring via the add_key() function. A local
attacker could use this flaw to exhaust all available memory on the system.
(CVE-2015-1333, Moderate)
* A race condition flaw was found in the way the Linux kernel's SCTP
implementation handled Address Configuration lists when performing Address
Configuration Change (ASCONF). A local attacker could use this flaw to
crash the system via a race condition triggered by setting certain ASCONF
options on a socket. (CVE-2015-3212, Moderate)
* An information leak flaw was found in the way the Linux kernel's Virtual
Dynamic Shared Object (vDSO) implementation performed address
randomization. A local, unprivileged user could use this flaw to leak
kernel memory addresses to user-space. (CVE-2014-9585, Low)
Red Hat would like to thank Daniel Borkmann for reporting CVE-2015-4700,
and Canonical for reporting the CVE-2015-1333 issue. The CVE-2015-0275
issue was discovered by Xiong Zhou of Red Hat, and the CVE-2015-3212 issue
was discovered by Ji Jianwen of Red Hat Engineering.
The kernel-rt packages have been upgraded to version 3.10.0-229.13.1, which
provides a number of bug fixes and enhancements over the previous version,
including:
* Fix regression in scsi_send_eh_cmnd()
* boot hangs at "Console: switching to colour dummy device 80x25"
* Update tcp stack to 3.17 kernel
* Missing some code from patch "(...) Fix VGA switcheroo problem related to
hotplug"
* ksoftirqd high CPU usage due to stray tasklet from ioatdma driver
* During Live Partition Mobility (LPM) testing, RHEL 7.1 LPARs will crash
in kmem_cache_alloc
(BZ#1253809)
This update also fixes the following bug:
* The hwlat_detector.ko module samples the clock and records any intervals
between reads that exceed a specified threshold. However, the module
previously tracked the maximum interval seen for the "inner" interval but
did not record when the "outer" interval was greater. A patch has been
applied to fix this bug, and hwlat_detector.ko now correctly records if the
outer interval is the maximal interval encountered during the run.
(BZ#1252365)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-12"/>
<updated date="2015-09-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9585">CVE-2014-9585</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0275">CVE-2015-0275</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1333">CVE-2015-1333</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3212">CVE-2015-3212</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4700">CVE-2015-4700</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5364">CVE-2015-5364</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5366">CVE-2015-5366</cve>
<bugzilla href="https://bugzilla.redhat.com/1181054" id="1181054">CVE-2014-9585 kernel: ASLR bruteforce possible for vdso library</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1193907" id="1193907">CVE-2015-0275 kernel: fs: ext4: fallocate zero range page size > block size BUG()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1226442" id="1226442">CVE-2015-3212 kernel: SCTP race condition allows list corruption and panic from userlevel</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1233615" id="1233615">CVE-2015-4700 kernel: Crafted BPF filters may crash kernel during JIT optimisation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1239029" id="1239029">CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1245658" id="1245658">CVE-2015-1333 kernel: denial of service due to memory leak in add_key()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253809" id="1253809">kernel-rt: update to the RHEL7.1.z batch 5 source tree</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788013"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788011"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788015"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788009"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788017"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788021"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788019"/>
<criterion comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151788007"/>
<criterion comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151793" version="601">
<metadata>
<title>RHSA-2015:1793: qemu-kvm security fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1793-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1793.html" source="RHSA"/>
<reference ref_id="CVE-2015-5165" ref_url="https://access.redhat.com/security/cve/CVE-2015-5165" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
An information leak flaw was found in the way QEMU's RTL8139 emulation
implementation processed network packets under RTL8139 controller's C+ mode
of operation. An unprivileged guest user could use this flaw to read up to
65 KB of uninitialized QEMU heap memory. (CVE-2015-5165)
Red Hat would like to thank the Xen project for reporting this issue.
Upstream acknowledges Donghai Zhu of Alibaba as the original reporter.
All qemu-kvm users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-15"/>
<updated date="2015-09-15"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5165">CVE-2015-5165</cve>
<bugzilla href="https://bugzilla.redhat.com/1248760" id="1248760">CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793011"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793009"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793005"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793007"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793013"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793017"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.6" test_ref="oval:com.redhat.rhsa:tst:20151793015"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151834" version="603">
<metadata>
<title>RHSA-2015:1834: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1834-02" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1834.html" source="RHSA"/>
<reference ref_id="CVE-2015-4500" ref_url="https://access.redhat.com/security/cve/CVE-2015-4500" source="CVE"/>
<reference ref_id="CVE-2015-4506" ref_url="https://access.redhat.com/security/cve/CVE-2015-4506" source="CVE"/>
<reference ref_id="CVE-2015-4509" ref_url="https://access.redhat.com/security/cve/CVE-2015-4509" source="CVE"/>
<reference ref_id="CVE-2015-4511" ref_url="https://access.redhat.com/security/cve/CVE-2015-4511" source="CVE"/>
<reference ref_id="CVE-2015-4517" ref_url="https://access.redhat.com/security/cve/CVE-2015-4517" source="CVE"/>
<reference ref_id="CVE-2015-4519" ref_url="https://access.redhat.com/security/cve/CVE-2015-4519" source="CVE"/>
<reference ref_id="CVE-2015-4520" ref_url="https://access.redhat.com/security/cve/CVE-2015-4520" source="CVE"/>
<reference ref_id="CVE-2015-4521" ref_url="https://access.redhat.com/security/cve/CVE-2015-4521" source="CVE"/>
<reference ref_id="CVE-2015-4522" ref_url="https://access.redhat.com/security/cve/CVE-2015-4522" source="CVE"/>
<reference ref_id="CVE-2015-7174" ref_url="https://access.redhat.com/security/cve/CVE-2015-7174" source="CVE"/>
<reference ref_id="CVE-2015-7175" ref_url="https://access.redhat.com/security/cve/CVE-2015-7175" source="CVE"/>
<reference ref_id="CVE-2015-7176" ref_url="https://access.redhat.com/security/cve/CVE-2015-7176" source="CVE"/>
<reference ref_id="CVE-2015-7177" ref_url="https://access.redhat.com/security/cve/CVE-2015-7177" source="CVE"/>
<reference ref_id="CVE-2015-7180" ref_url="https://access.redhat.com/security/cve/CVE-2015-7180" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-4500, CVE-2015-4506, CVE-2015-4509, CVE-2015-4511,
CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174, CVE-2015-7175,
CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)
Two information leak flaws were found in the processing of malformed web
content. A web page containing malicious content could cause Firefox to
disclose sensitive information or, in certain cases, crash. (CVE-2015-4519,
CVE-2015-4520)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Andrew Osmond, Olli Pettay, Andrew Sutherland,
Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Khalil
Zhani, Atte Kettunen, Ronald Crane, Mario Gomes, and Ehsan Akhgari as the
original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.3.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-22"/>
<updated date="2015-09-24"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4500">CVE-2015-4500</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4506">CVE-2015-4506</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4509">CVE-2015-4509</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4511">CVE-2015-4511</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4517">CVE-2015-4517</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4519">CVE-2015-4519</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4520">CVE-2015-4520</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4521">CVE-2015-4521</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4522">CVE-2015-4522</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7174">CVE-2015-7174</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7175">CVE-2015-7175</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7176">CVE-2015-7176</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7177">CVE-2015-7177</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7180">CVE-2015-7180</cve>
<bugzilla href="https://bugzilla.redhat.com/1265186" id="1265186">CVE-2015-4500 Mozilla: Miscellaneous memory safety hazards (MFSA 2015-96)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265192" id="1265192">CVE-2015-4509 Mozilla: Use-after-free while manipulating HTML media content (MFSA 2015-106)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265617" id="1265617">CVE-2015-4506 Mozilla: Buffer overflow in libvpx while parsing vp9 format video (MFSA 2015-101)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265630" id="1265630">CVE-2015-4511 Mozilla: Buffer overflow while decoding WebM video (MFSA 2015-105)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265778" id="1265778">CVE-2015-4519 Mozilla: Dragging and dropping images exposes final URL after redirects (MFSA 2015-110)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265781" id="1265781">CVE-2015-4520 Mozilla: Errors in the handling of CORS preflight request headers (MFSA 2015-111)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265784" id="1265784">CVE-2015-4517 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-112)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.3.0-2.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151834002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.3.0-2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151834008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.3.0-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151834014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151840" version="601">
<metadata>
<title>RHSA-2015:1840: openldap security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:1840-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1840.html" source="RHSA"/>
<reference ref_id="CVE-2015-6908" ref_url="https://access.redhat.com/security/cve/CVE-2015-6908" source="CVE"/>
<description>OpenLDAP is an open source suite of Lightweight Directory Access Protocol
(LDAP) applications and development tools. LDAP is a set of protocols used
to access and maintain distributed directory information services over an
IP network. The openldap package contains configuration files, libraries,
and documentation for OpenLDAP.
A flaw was found in the way the OpenLDAP server daemon (slapd) parsed
certain Basic Encoding Rules (BER) data. A remote attacker could use this
flaw to crash slapd via a specially crafted packet. (CVE-2015-6908)
All openldap users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-29"/>
<updated date="2015-09-29"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6908">CVE-2015-6908</cve>
<bugzilla href="https://bugzilla.redhat.com/1262393" id="1262393">CVE-2015-6908 openldap: ber_get_next denial of service vulnerability</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="compat-openldap is earlier than 0:2.3.43_2.2.29-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840012"/>
<criterion comment="compat-openldap is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840013"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap is earlier than 0:2.3.43-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840002"/>
<criterion comment="openldap is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840003"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-clients is earlier than 0:2.3.43-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840008"/>
<criterion comment="openldap-clients is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840009"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-devel is earlier than 0:2.3.43-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840010"/>
<criterion comment="openldap-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840011"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers is earlier than 0:2.3.43-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840004"/>
<criterion comment="openldap-servers is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840005"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers-overlays is earlier than 0:2.3.43-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840006"/>
<criterion comment="openldap-servers-overlays is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840007"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers-sql is earlier than 0:2.3.43-29.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151840014"/>
<criterion comment="openldap-servers-sql is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20151840015"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openldap is earlier than 0:2.4.40-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151840022"/>
<criterion comment="openldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840023"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-clients is earlier than 0:2.4.40-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151840026"/>
<criterion comment="openldap-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840027"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-devel is earlier than 0:2.4.40-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151840020"/>
<criterion comment="openldap-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840021"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers is earlier than 0:2.4.40-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151840028"/>
<criterion comment="openldap-servers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840029"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers-sql is earlier than 0:2.4.40-6.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151840024"/>
<criterion comment="openldap-servers-sql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840025"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openldap is earlier than 0:2.4.39-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151840034"/>
<criterion comment="openldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840023"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-clients is earlier than 0:2.4.39-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151840036"/>
<criterion comment="openldap-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840027"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-devel is earlier than 0:2.4.39-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151840037"/>
<criterion comment="openldap-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840021"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers is earlier than 0:2.4.39-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151840038"/>
<criterion comment="openldap-servers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840029"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers-sql is earlier than 0:2.4.39-7.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151840035"/>
<criterion comment="openldap-servers-sql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840025"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151852" version="601">
<metadata>
<title>RHSA-2015:1852: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1852-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1852.html" source="RHSA"/>
<reference ref_id="CVE-2015-4500" ref_url="https://access.redhat.com/security/cve/CVE-2015-4500" source="CVE"/>
<reference ref_id="CVE-2015-4509" ref_url="https://access.redhat.com/security/cve/CVE-2015-4509" source="CVE"/>
<reference ref_id="CVE-2015-4517" ref_url="https://access.redhat.com/security/cve/CVE-2015-4517" source="CVE"/>
<reference ref_id="CVE-2015-4519" ref_url="https://access.redhat.com/security/cve/CVE-2015-4519" source="CVE"/>
<reference ref_id="CVE-2015-4520" ref_url="https://access.redhat.com/security/cve/CVE-2015-4520" source="CVE"/>
<reference ref_id="CVE-2015-4521" ref_url="https://access.redhat.com/security/cve/CVE-2015-4521" source="CVE"/>
<reference ref_id="CVE-2015-4522" ref_url="https://access.redhat.com/security/cve/CVE-2015-4522" source="CVE"/>
<reference ref_id="CVE-2015-7174" ref_url="https://access.redhat.com/security/cve/CVE-2015-7174" source="CVE"/>
<reference ref_id="CVE-2015-7175" ref_url="https://access.redhat.com/security/cve/CVE-2015-7175" source="CVE"/>
<reference ref_id="CVE-2015-7176" ref_url="https://access.redhat.com/security/cve/CVE-2015-7176" source="CVE"/>
<reference ref_id="CVE-2015-7177" ref_url="https://access.redhat.com/security/cve/CVE-2015-7177" source="CVE"/>
<reference ref_id="CVE-2015-7180" ref_url="https://access.redhat.com/security/cve/CVE-2015-7180" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-4500, CVE-2015-4509, CVE-2015-4517, CVE-2015-4521,
CVE-2015-4522, CVE-2015-7174, CVE-2015-7175, CVE-2015-7176, CVE-2015-7177,
CVE-2015-7180)
Two information leak flaws were found in the processing of malformed web
content. A web page containing malicious content could cause Thunderbird to
disclose sensitive information or, in certain cases, crash. (CVE-2015-4519,
CVE-2015-4520)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message because JavaScript is disabled by default for mail
messages. However, they could be exploited in other ways in Thunderbird
(for example, by viewing the full remote content of an RSS feed).
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Andrew Osmond, Olli Pettay, Andrew Sutherland,
Christian Holler, David Major, Andrew McCreight, Cameron McCormack, Ronald
Crane, Mario Gomes, and Ehsan Akhgari as the original reporters of these
issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.3.0 You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.3.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-01"/>
<updated date="2015-10-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4500">CVE-2015-4500</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4509">CVE-2015-4509</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4517">CVE-2015-4517</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4519">CVE-2015-4519</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4520">CVE-2015-4520</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4521">CVE-2015-4521</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4522">CVE-2015-4522</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7174">CVE-2015-7174</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7175">CVE-2015-7175</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7176">CVE-2015-7176</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7177">CVE-2015-7177</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7180">CVE-2015-7180</cve>
<bugzilla href="https://bugzilla.redhat.com/1265186" id="1265186">CVE-2015-4500 Mozilla: Miscellaneous memory safety hazards (MFSA 2015-96)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265192" id="1265192">CVE-2015-4509 Mozilla: Use-after-free while manipulating HTML media content (MFSA 2015-106)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265778" id="1265778">CVE-2015-4519 Mozilla: Dragging and dropping images exposes final URL after redirects (MFSA 2015-110)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265781" id="1265781">CVE-2015-4520 Mozilla: Errors in the handling of CORS preflight request headers (MFSA 2015-111)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265784" id="1265784">CVE-2015-4517 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-112)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:38.3.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151852002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.3.0-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151852008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.3.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151852014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151890" version="601">
<metadata>
<title>RHSA-2015:1890: spice security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1890-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1890.html" source="RHSA"/>
<reference ref_id="CVE-2015-5260" ref_url="https://access.redhat.com/security/cve/CVE-2015-5260" source="CVE"/>
<reference ref_id="CVE-2015-5261" ref_url="https://access.redhat.com/security/cve/CVE-2015-5261" source="CVE"/>
<description>The Simple Protocol for Independent Computing Environments (SPICE) is a
remote display protocol for virtual environments. SPICE users can access a
virtualized desktop or server from the local system or any system with
network access to the server. SPICE is used in Red Hat Enterprise Linux for
viewing virtualized guests running on the Kernel-based Virtual Machine
(KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.
A heap-based buffer overflow flaw was found in the way SPICE handled
certain guest QXL commands related to surface creation. A user in a guest
could use this flaw to read and write arbitrary memory locations on the
host. (CVE-2015-5261)
A heap-based buffer overflow flaw was found in the way spice handled
certain QXL commands related to the "surface_id" parameter. A user in a
guest could use this flaw to crash the host QEMU-KVM process or, possibly,
execute arbitrary code with the privileges of the host QEMU-KVM process.
(CVE-2015-5260)
These issues were discovered by Frediano Ziglio of Red Hat.
All spice users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-12"/>
<updated date="2015-10-12"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5260">CVE-2015-5260</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5261">CVE-2015-5261</cve>
<bugzilla href="https://bugzilla.redhat.com/1260822" id="1260822">CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1261889" id="1261889">CVE-2015-5261 spice: host memory access from guest using crafted images</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="spice is earlier than 0:0.12.4-9.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151890009"/>
<criterion comment="spice is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151714010"/>
</criteria>
<criteria operator="AND">
<criterion comment="spice-server is earlier than 0:0.12.4-9.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151890007"/>
<criterion comment="spice-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151714006"/>
</criteria>
<criteria operator="AND">
<criterion comment="spice-server-devel is earlier than 0:0.12.4-9.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151890005"/>
<criterion comment="spice-server-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151714008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151917" version="601">
<metadata>
<title>RHSA-2015:1917: libwmf security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1917-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1917.html" source="RHSA"/>
<reference ref_id="CVE-2015-0848" ref_url="https://access.redhat.com/security/cve/CVE-2015-0848" source="CVE"/>
<reference ref_id="CVE-2015-4588" ref_url="https://access.redhat.com/security/cve/CVE-2015-4588" source="CVE"/>
<reference ref_id="CVE-2015-4695" ref_url="https://access.redhat.com/security/cve/CVE-2015-4695" source="CVE"/>
<reference ref_id="CVE-2015-4696" ref_url="https://access.redhat.com/security/cve/CVE-2015-4696" source="CVE"/>
<description>libwmf is a library for reading and converting Windows Metafile Format
(WMF) vector graphics. libwmf is used by applications such as GIMP and
ImageMagick.
It was discovered that libwmf did not correctly process certain WMF
(Windows Metafiles) with embedded BMP images. By tricking a victim into
opening a specially crafted WMF file in an application using libwmf, a
remote attacker could possibly use this flaw to execute arbitrary code with
the privileges of the user running the application. (CVE-2015-0848,
CVE-2015-4588)
It was discovered that libwmf did not properly process certain WMF files.
By tricking a victim into opening a specially crafted WMF file in an
application using libwmf, a remote attacker could possibly exploit this
flaw to cause a crash or execute arbitrary code with the privileges of the
user running the application. (CVE-2015-4696)
It was discovered that libwmf did not properly process certain WMF files.
By tricking a victim into opening a specially crafted WMF file in an
application using libwmf, a remote attacker could possibly exploit this
flaw to cause a crash. (CVE-2015-4695)
All users of libwmf are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
update, all applications using libwmf must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-20"/>
<updated date="2015-10-20"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0848">CVE-2015-0848</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4588">CVE-2015-4588</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4695">CVE-2015-4695</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4696">CVE-2015-4696</cve>
<bugzilla href="https://bugzilla.redhat.com/1227243" id="1227243">CVE-2015-0848 libwmf: heap overflow when decoding BMP images</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1235665" id="1235665">CVE-2015-4695 libwmf: heap buffer overread in meta.h</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1235669" id="1235669">CVE-2015-4696 libwmf: use-after-free flaw in meta.h</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272993" id="1272993">CVE-2015-4588 libwmf: heap overflow within the RLE decoding of embedded BMP images</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libwmf is earlier than 0:0.2.8.4-25.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151917005"/>
<criterion comment="libwmf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151917006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwmf-devel is earlier than 0:0.2.8.4-25.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151917009"/>
<criterion comment="libwmf-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151917010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwmf-lite is earlier than 0:0.2.8.4-25.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151917007"/>
<criterion comment="libwmf-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151917008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libwmf is earlier than 0:0.2.8.4-41.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151917016"/>
<criterion comment="libwmf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151917006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwmf-devel is earlier than 0:0.2.8.4-41.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151917017"/>
<criterion comment="libwmf-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151917010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwmf-lite is earlier than 0:0.2.8.4-41.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151917015"/>
<criterion comment="libwmf-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151917008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151919" version="601">
<metadata>
<title>RHSA-2015:1919: java-1.8.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1919-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1919.html" source="RHSA"/>
<reference ref_id="CVE-2015-4734" ref_url="https://access.redhat.com/security/cve/CVE-2015-4734" source="CVE"/>
<reference ref_id="CVE-2015-4803" ref_url="https://access.redhat.com/security/cve/CVE-2015-4803" source="CVE"/>
<reference ref_id="CVE-2015-4805" ref_url="https://access.redhat.com/security/cve/CVE-2015-4805" source="CVE"/>
<reference ref_id="CVE-2015-4806" ref_url="https://access.redhat.com/security/cve/CVE-2015-4806" source="CVE"/>
<reference ref_id="CVE-2015-4835" ref_url="https://access.redhat.com/security/cve/CVE-2015-4835" source="CVE"/>
<reference ref_id="CVE-2015-4840" ref_url="https://access.redhat.com/security/cve/CVE-2015-4840" source="CVE"/>
<reference ref_id="CVE-2015-4842" ref_url="https://access.redhat.com/security/cve/CVE-2015-4842" source="CVE"/>
<reference ref_id="CVE-2015-4843" ref_url="https://access.redhat.com/security/cve/CVE-2015-4843" source="CVE"/>
<reference ref_id="CVE-2015-4844" ref_url="https://access.redhat.com/security/cve/CVE-2015-4844" source="CVE"/>
<reference ref_id="CVE-2015-4860" ref_url="https://access.redhat.com/security/cve/CVE-2015-4860" source="CVE"/>
<reference ref_id="CVE-2015-4868" ref_url="https://access.redhat.com/security/cve/CVE-2015-4868" source="CVE"/>
<reference ref_id="CVE-2015-4872" ref_url="https://access.redhat.com/security/cve/CVE-2015-4872" source="CVE"/>
<reference ref_id="CVE-2015-4881" ref_url="https://access.redhat.com/security/cve/CVE-2015-4881" source="CVE"/>
<reference ref_id="CVE-2015-4882" ref_url="https://access.redhat.com/security/cve/CVE-2015-4882" source="CVE"/>
<reference ref_id="CVE-2015-4883" ref_url="https://access.redhat.com/security/cve/CVE-2015-4883" source="CVE"/>
<reference ref_id="CVE-2015-4893" ref_url="https://access.redhat.com/security/cve/CVE-2015-4893" source="CVE"/>
<reference ref_id="CVE-2015-4903" ref_url="https://access.redhat.com/security/cve/CVE-2015-4903" source="CVE"/>
<reference ref_id="CVE-2015-4911" ref_url="https://access.redhat.com/security/cve/CVE-2015-4911" source="CVE"/>
<description>The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,
and 2D components in OpenJDK. An untrusted Java application or applet could
use these flaws to completely bypass Java sandbox restrictions.
(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,
CVE-2015-4805, CVE-2015-4844)
Multiple denial of service flaws were found in the JAXP component in
OpenJDK. A specially crafted XML file could cause a Java application using
JAXP to consume an excessive amount of CPU and memory when parsed.
(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)
A flaw was found in the way the Libraries component in OpenJDK handled
certificate revocation lists (CRL). In certain cases, CRL checking code
could fail to report a revoked certificate, causing the application to
accept it as trusted. (CVE-2015-4868)
It was discovered that the Security component in OpenJDK failed to properly
check if a certificate satisfied all defined constraints. In certain cases,
this could cause a Java application to accept an X.509 certificate which
does not meet requirements of the defined policy. (CVE-2015-4872)
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,
CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)
Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the
CVE-2015-4806 issue.
All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-21"/>
<updated date="2015-10-21"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4734">CVE-2015-4734</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4803">CVE-2015-4803</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4805">CVE-2015-4805</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4806">CVE-2015-4806</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4835">CVE-2015-4835</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4840">CVE-2015-4840</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4842">CVE-2015-4842</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4843">CVE-2015-4843</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4844">CVE-2015-4844</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4860">CVE-2015-4860</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4868">CVE-2015-4868</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4872">CVE-2015-4872</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4881">CVE-2015-4881</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4882">CVE-2015-4882</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4883">CVE-2015-4883</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4893">CVE-2015-4893</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4903">CVE-2015-4903</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4911">CVE-2015-4911</cve>
<bugzilla href="https://bugzilla.redhat.com/1233687" id="1233687">CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273022" id="1273022">CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273027" id="1273027">CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273053" id="1273053">CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273304" id="1273304">CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273308" id="1273308">CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273311" id="1273311">CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273318" id="1273318">CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273328" id="1273328">CVE-2015-4868 OpenJDK: CRL checking flaw (Libraries, 8081744)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273338" id="1273338">CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273414" id="1273414">CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273425" id="1273425">CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273430" id="1273430">CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273496" id="1273496">CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273637" id="1273637">CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273638" id="1273638">CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273645" id="1273645">CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273734" id="1273734">CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919007"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-debug is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919011"/>
<criterion comment="java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919013"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919017"/>
<criterion comment="java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919019"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919015"/>
<criterion comment="java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919023"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919005"/>
<criterion comment="java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919025"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919027"/>
<criterion comment="java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919028"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919009"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.65-0.b17.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151919021"/>
<criterion comment="java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919022"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919039"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919033"/>
<criterion comment="java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809023"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919036"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919037"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919038"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919040"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.65-2.b17.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151919035"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151920" version="601">
<metadata>
<title>RHSA-2015:1920: java-1.7.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1920-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1920.html" source="RHSA"/>
<reference ref_id="CVE-2015-4734" ref_url="https://access.redhat.com/security/cve/CVE-2015-4734" source="CVE"/>
<reference ref_id="CVE-2015-4803" ref_url="https://access.redhat.com/security/cve/CVE-2015-4803" source="CVE"/>
<reference ref_id="CVE-2015-4805" ref_url="https://access.redhat.com/security/cve/CVE-2015-4805" source="CVE"/>
<reference ref_id="CVE-2015-4806" ref_url="https://access.redhat.com/security/cve/CVE-2015-4806" source="CVE"/>
<reference ref_id="CVE-2015-4835" ref_url="https://access.redhat.com/security/cve/CVE-2015-4835" source="CVE"/>
<reference ref_id="CVE-2015-4840" ref_url="https://access.redhat.com/security/cve/CVE-2015-4840" source="CVE"/>
<reference ref_id="CVE-2015-4842" ref_url="https://access.redhat.com/security/cve/CVE-2015-4842" source="CVE"/>
<reference ref_id="CVE-2015-4843" ref_url="https://access.redhat.com/security/cve/CVE-2015-4843" source="CVE"/>
<reference ref_id="CVE-2015-4844" ref_url="https://access.redhat.com/security/cve/CVE-2015-4844" source="CVE"/>
<reference ref_id="CVE-2015-4860" ref_url="https://access.redhat.com/security/cve/CVE-2015-4860" source="CVE"/>
<reference ref_id="CVE-2015-4872" ref_url="https://access.redhat.com/security/cve/CVE-2015-4872" source="CVE"/>
<reference ref_id="CVE-2015-4881" ref_url="https://access.redhat.com/security/cve/CVE-2015-4881" source="CVE"/>
<reference ref_id="CVE-2015-4882" ref_url="https://access.redhat.com/security/cve/CVE-2015-4882" source="CVE"/>
<reference ref_id="CVE-2015-4883" ref_url="https://access.redhat.com/security/cve/CVE-2015-4883" source="CVE"/>
<reference ref_id="CVE-2015-4893" ref_url="https://access.redhat.com/security/cve/CVE-2015-4893" source="CVE"/>
<reference ref_id="CVE-2015-4903" ref_url="https://access.redhat.com/security/cve/CVE-2015-4903" source="CVE"/>
<reference ref_id="CVE-2015-4911" ref_url="https://access.redhat.com/security/cve/CVE-2015-4911" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,
and 2D components in OpenJDK. An untrusted Java application or applet could
use these flaws to completely bypass Java sandbox restrictions.
(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,
CVE-2015-4805, CVE-2015-4844)
Multiple denial of service flaws were found in the JAXP component in
OpenJDK. A specially crafted XML file could cause a Java application using
JAXP to consume an excessive amount of CPU and memory when parsed.
(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)
It was discovered that the Security component in OpenJDK failed to properly
check if a certificate satisfied all defined constraints. In certain cases,
this could cause a Java application to accept an X.509 certificate which
does not meet requirements of the defined policy. (CVE-2015-4872)
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,
CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)
Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the
CVE-2015-4806 issue.
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-21"/>
<updated date="2015-10-21"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4734">CVE-2015-4734</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4803">CVE-2015-4803</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4805">CVE-2015-4805</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4806">CVE-2015-4806</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4835">CVE-2015-4835</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4840">CVE-2015-4840</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4842">CVE-2015-4842</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4843">CVE-2015-4843</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4844">CVE-2015-4844</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4860">CVE-2015-4860</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4872">CVE-2015-4872</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4881">CVE-2015-4881</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4882">CVE-2015-4882</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4883">CVE-2015-4883</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4893">CVE-2015-4893</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4903">CVE-2015-4903</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4911">CVE-2015-4911</cve>
<bugzilla href="https://bugzilla.redhat.com/1233687" id="1233687">CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273022" id="1273022">CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273027" id="1273027">CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273053" id="1273053">CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273304" id="1273304">CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273308" id="1273308">CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273311" id="1273311">CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273318" id="1273318">CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273338" id="1273338">CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273414" id="1273414">CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273425" id="1273425">CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273430" id="1273430">CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273496" id="1273496">CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273637" id="1273637">CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273638" id="1273638">CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273645" id="1273645">CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273734" id="1273734">CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.91-2.6.2.2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151920007"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.91-2.6.2.2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151920009"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.91-2.6.2.2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151920005"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.91-2.6.2.2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151920013"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.91-2.6.2.2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151920011"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920026"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920024"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920021"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920019"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920022"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920027"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.91-2.6.2.1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151920020"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151930" version="601">
<metadata>
<title>RHSA-2015:1930: ntp security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1930-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1930.html" source="RHSA"/>
<reference ref_id="CVE-2015-5300" ref_url="https://access.redhat.com/security/cve/CVE-2015-5300" source="CVE"/>
<reference ref_id="CVE-2015-7704" ref_url="https://access.redhat.com/security/cve/CVE-2015-7704" source="CVE"/>
<description>The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.
It was discovered that ntpd as a client did not correctly check timestamps
in Kiss-of-Death packets. A remote attacker could use this flaw to send a
crafted Kiss-of-Death packet to an ntpd client that would increase the
client's polling interval value, and effectively disable synchronization
with the server. (CVE-2015-7704)
It was found that ntpd did not correctly implement the threshold limitation
for the '-g' option, which is used to set the time without any
restrictions. A man-in-the-middle attacker able to intercept NTP traffic
between a connecting client and an NTP server could use this flaw to force
that client to make multiple steps larger than the panic threshold,
effectively changing the time to an arbitrary value. (CVE-2015-5300)
Red Hat would like to thank Aanchal Malhotra, Isaac E. Cohen, and Sharon
Goldberg of Boston University for reporting these issues.
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-26"/>
<updated date="2015-10-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5300">CVE-2015-5300</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7704">CVE-2015-7704</cve>
<bugzilla href="https://bugzilla.redhat.com/1271070" id="1271070">CVE-2015-7704 ntp: disabling synchronization via crafted KoD packet</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1271076" id="1271076">CVE-2015-5300 ntp: MITM attacker can force ntpd to make a step larger than the panic threshold</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-5.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151930009"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-5.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151930011"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-5.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151930005"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-5.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20151930007"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-19.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151930020"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-19.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151930021"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-19.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151930022"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-19.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151930019"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
<criteria operator="AND">
<criterion comment="sntp is earlier than 0:4.2.6p5-19.el7_1.3" test_ref="oval:com.redhat.rhsa:tst:20151930017"/>
<criterion comment="sntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151943" version="601">
<metadata>
<title>RHSA-2015:1943: qemu-kvm security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1943-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1943.html" source="RHSA"/>
<reference ref_id="CVE-2015-1779" ref_url="https://access.redhat.com/security/cve/CVE-2015-1779" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
It was found that the QEMU's websocket frame decoder processed incoming
frames without limiting resources used to process the header and the
payload. An attacker able to access a guest's VNC console could use this
flaw to trigger a denial of service on the host by exhausting all available
memory and CPU. (CVE-2015-1779)
This issue was discovered by Daniel P. Berrange of Red Hat.
All qemu-kvm users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-10-27"/>
<updated date="2015-10-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1779">CVE-2015-1779</cve>
<bugzilla href="https://bugzilla.redhat.com/1199572" id="1199572">CVE-2015-1779 qemu: vnc: insufficient resource limiting in VNC websockets decoder</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273098" id="1273098">qemu-kvm build failure race condition in tests/ide-test</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943009"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943011"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943005"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943007"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943013"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943015"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.8" test_ref="oval:com.redhat.rhsa:tst:20151943017"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151977" version="601">
<metadata>
<title>RHSA-2015:1977: kernel-rt security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1977-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1977.html" source="RHSA"/>
<reference ref_id="CVE-2014-8559" ref_url="https://access.redhat.com/security/cve/CVE-2014-8559" source="CVE"/>
<reference ref_id="CVE-2015-5156" ref_url="https://access.redhat.com/security/cve/CVE-2015-5156" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's VFS subsystem handled file
system locks. A local, unprivileged user could use this flaw to trigger a
deadlock in the kernel, causing a denial of service on the system.
(CVE-2014-8559, Moderate)
* A buffer overflow flaw was found in the way the Linux kernel's virtio-net
subsystem handled certain fraglists when the GRO (Generic Receive Offload)
functionality was enabled in a bridged network configuration. An attacker
on the local network could potentially use this flaw to crash the system,
or, although unlikely, elevate their privileges on the system.
(CVE-2015-5156, Moderate)
The CVE-2015-5156 issue was discovered by Jason Wang of Red Hat.
The kernel-rt packages have been upgraded to version 3.10.0-229.20.1, which
provides a number of bug fixes and enhancements over the previous version,
including:
* Unexpected completion is detected on Intel Ethernet x540
* Divide by zero error in intel_pstate_timer_func() [ inline s64
div_s64_rem() ]
* NFS Recover from stateid-type error on SETATTR
* pNFS RHEL 7.1 Data Server connection remains after umount due to lseg
refcount leak
* Race during NFS v4.0 recovery and standard IO.
* Fix ip6t_SYNPROXY for namespaces and connection delay
* synproxy window size and sequence number behaviour causes long connection
delay
* Crash in kmem_cache_alloc() during disk stress testing (using ipr)
* xfs: sync/backport to upstream v4.1
* iscsi_session recovery_tmo revert back to default when a path becomes
active
* read from MD raid1 can fail if read from resync target fails
* backport scsi-mq
* unable to handle kernel paging request at 0000000000237037 [zswap]
(BZ#1266915)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add this enhancement. The system must be rebooted
for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-09-25"/>
<updated date="2015-11-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8559">CVE-2014-8559</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5156">CVE-2015-5156</cve>
<bugzilla href="https://bugzilla.redhat.com/1159313" id="1159313">CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243852" id="1243852">CVE-2015-5156 kernel: buffer overflow with fraglist larger than MAX_SKB_FRAGS + 2 in virtio-net</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1266915" id="1266915">kernel-rt: update to the RHEL7.1.z batch 6 source tree</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977021"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977011"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977013"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977007"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977019"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977017"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977009"/>
<criterion comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151977015"/>
<criterion comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151978" version="601">
<metadata>
<title>RHSA-2015:1978: kernel security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1978-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1978.html" source="RHSA"/>
<reference ref_id="CVE-2014-8559" ref_url="https://access.redhat.com/security/cve/CVE-2014-8559" source="CVE"/>
<reference ref_id="CVE-2015-5156" ref_url="https://access.redhat.com/security/cve/CVE-2015-5156" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's VFS subsystem handled file
system locks. A local, unprivileged user could use this flaw to trigger a
deadlock in the kernel, causing a denial of service on the system.
(CVE-2014-8559, Moderate)
* A buffer overflow flaw was found in the way the Linux kernel's virtio-net
subsystem handled certain fraglists when the GRO (Generic Receive Offload)
functionality was enabled in a bridged network configuration. An attacker
on the local network could potentially use this flaw to crash the system,
or, although unlikely, elevate their privileges on the system.
(CVE-2015-5156, Moderate)
The CVE-2015-5156 issue was discovered by Jason Wang of Red Hat.
This update also fixes several bugs and adds one enhancement. Refer to the
following Knowledgebase article for further information:
https://access.redhat.com/articles/2039563
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add this
enhancement. The system must be rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-03"/>
<updated date="2015-11-03"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8559">CVE-2014-8559</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5156">CVE-2015-5156</cve>
<bugzilla href="https://bugzilla.redhat.com/1159313" id="1159313">CVE-2014-8559 kernel: fs: deadlock due to incorrect usage of rename_lock</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243852" id="1243852">CVE-2015-5156 kernel: buffer overflow with fraglist larger than MAX_SKB_FRAGS + 2 in virtio-net</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978023"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978005"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978027"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978021"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978019"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978015"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978007"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978009"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978011"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978013"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978031"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978029"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978033"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978017"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-229.20.1.el7" test_ref="oval:com.redhat.rhsa:tst:20151978025"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151979" version="601">
<metadata>
<title>RHSA-2015:1979: libreswan security and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:1979-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1979.html" source="RHSA"/>
<reference ref_id="CVE-2015-3240" ref_url="https://access.redhat.com/security/cve/CVE-2015-3240" source="CVE"/>
<description>Libreswan is an implementation of IPsec & IKE for Linux. IPsec is the
Internet Protocol Security and uses strong cryptography to provide both
authentication and encryption services. These services allow you to build
secure tunnels through untrusted networks such as virtual private network
(VPN).
A flaw was discovered in the way Libreswan's IKE daemon processed IKE KE
payloads. A remote attacker could send specially crafted IKE payload with a
KE payload of g^x=0 that, when processed, would lead to a denial of service
(daemon crash). (CVE-2015-3240)
This issue was discovered by Paul Wouters of Red Hat.
Note: Please note that when upgrading from an earlier version of Libreswan,
the existing CA certificates in the /etc/ipsec.d/cacerts/ directory and the
existing certificate revocation list (CRL) files from the
/etc/ipsec.d/crls/ directory are automatically imported into the NSS
database. Once completed, these directories are no longer used by
Libreswan. To install new CA certificates or new CRLS, the certutil and
crlutil commands must be used to import these directly into the Network
Security Services (NSS) database.
This update also adds the following enhancements:
* This update adds support for RFC 7383 IKEv2 Fragmentation, RFC 7619 Auth
Null and ID Null, INVALID_KE renegotiation, CRL and OCSP support via NSS,
AES_CTR and AES_GCM support for IKEv2, CAVS testing for FIPS compliance.
In addition, this update enforces FIPS algorithms restrictions in FIPS
mode, and runs Composite Application Validation System (CAVS) testing for
FIPS compliance during package build. A new Cryptographic Algorithm
Validation Program (CAVP) binary can be used to re-run the CAVS tests at
any time. Regardless of FIPS mode, the pluto daemon runs RFC test vectors
for various algorithms.
Furthermore, compiling on all architectures now enables the "-Werror" GCC
option, which enhances the security by making all warnings into errors.
(BZ#1263346)
* This update also fixes several memory leaks and introduces a sub-second
packet retransmit option. (BZ#1268773)
* This update improves migration support from Openswan to Libreswan.
Specifically, all Openswan options that can take a time value without a
suffix are now supported, and several new keywords for use in the
/etc/ipsec.conf file have been introduced. See the relevant man pages for
details. (BZ#1268775)
* With this update, loopback support via the "loopback=" option has been
deprecated. (BZ#1270673)
All Libreswan users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-03"/>
<updated date="2015-11-04"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3240">CVE-2015-3240</cve>
<bugzilla href="https://bugzilla.redhat.com/1232320" id="1232320">CVE-2015-3240 libreswan / openswan: denial of service via IKE daemon restart when receiving a bad DH gx value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1268775" id="1268775">libreswan should support strictcrlpolicy alias for crl-strict= option to support openswan migration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273719" id="1273719">libreswan FIPS test mistakenly looks for non-existent file hashes and reports FIPS failure</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="libreswan is earlier than 0:3.15-5.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151979005"/>
<criterion comment="libreswan is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151154006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151981" version="601">
<metadata>
<title>RHSA-2015:1981: nss, nss-util, and nspr security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:1981-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1981.html" source="RHSA"/>
<reference ref_id="CVE-2015-7181" ref_url="https://access.redhat.com/security/cve/CVE-2015-7181" source="CVE"/>
<reference ref_id="CVE-2015-7182" ref_url="https://access.redhat.com/security/cve/CVE-2015-7182" source="CVE"/>
<reference ref_id="CVE-2015-7183" ref_url="https://access.redhat.com/security/cve/CVE-2015-7183" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities.
A use-after-poison flaw and a heap-based buffer overflow flaw were found in
the way NSS parsed certain ASN.1 structures. An attacker could use these
flaws to cause NSS to crash or execute arbitrary code with the permissions
of the user running an application compiled against the NSS library.
(CVE-2015-7181, CVE-2015-7182)
A heap-based buffer overflow was found in NSPR. An attacker could use this
flaw to cause NSPR to crash or execute arbitrary code with the permissions
of the user running an application compiled against the NSPR library.
(CVE-2015-7183)
Note: Applications using NSPR's PL_ARENA_ALLOCATE, PR_ARENA_ALLOCATE,
PL_ARENA_GROW, or PR_ARENA_GROW macros need to be rebuild against the fixed
nspr packages to completely resolve the CVE-2015-7183 issue. This erratum
includes nss and nss-utils packages rebuilt against the fixed nspr version.
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Tyson Smith, David Keeler and Ryan Sleevi as the
original reporter.
All nss, nss-util and nspr users are advised to upgrade to these updated
packages, which contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-04"/>
<updated date="2015-11-04"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7181">CVE-2015-7181</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7182">CVE-2015-7182</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7183">CVE-2015-7183</cve>
<bugzilla href="https://bugzilla.redhat.com/1269345" id="1269345">CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1269351" id="1269351">CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1269353" id="1269353">CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.19.1-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981011"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.19.1-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981007"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.19.1-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981013"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.19.1-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981009"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.19.1-5.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981005"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr is earlier than 0:4.10.8-2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981017"/>
<criterion comment="nspr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr-devel is earlier than 0:4.10.8-2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981015"/>
<criterion comment="nspr-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916031"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.19.1-2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981021"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.19.1-2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151981019"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nspr is earlier than 0:4.10.8-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151981027"/>
<criterion comment="nspr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nspr-devel is earlier than 0:4.10.8-2.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151981028"/>
<criterion comment="nspr-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916031"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.19.1-7.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151981029"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.19.1-7.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151981030"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.19.1-7.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151981032"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.19.1-7.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151981031"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.19.1-7.el7_1.2" test_ref="oval:com.redhat.rhsa:tst:20151981033"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util is earlier than 0:3.19.1-4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151981035"/>
<criterion comment="nss-util is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073006"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-util-devel is earlier than 0:3.19.1-4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151981034"/>
<criterion comment="nss-util-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141073008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20151982" version="602">
<metadata>
<title>RHSA-2015:1982: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:1982-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1982.html" source="RHSA"/>
<reference ref_id="CVE-2015-4513" ref_url="https://access.redhat.com/security/cve/CVE-2015-4513" source="CVE"/>
<reference ref_id="CVE-2015-7188" ref_url="https://access.redhat.com/security/cve/CVE-2015-7188" source="CVE"/>
<reference ref_id="CVE-2015-7189" ref_url="https://access.redhat.com/security/cve/CVE-2015-7189" source="CVE"/>
<reference ref_id="CVE-2015-7193" ref_url="https://access.redhat.com/security/cve/CVE-2015-7193" source="CVE"/>
<reference ref_id="CVE-2015-7194" ref_url="https://access.redhat.com/security/cve/CVE-2015-7194" source="CVE"/>
<reference ref_id="CVE-2015-7196" ref_url="https://access.redhat.com/security/cve/CVE-2015-7196" source="CVE"/>
<reference ref_id="CVE-2015-7197" ref_url="https://access.redhat.com/security/cve/CVE-2015-7197" source="CVE"/>
<reference ref_id="CVE-2015-7198" ref_url="https://access.redhat.com/security/cve/CVE-2015-7198" source="CVE"/>
<reference ref_id="CVE-2015-7199" ref_url="https://access.redhat.com/security/cve/CVE-2015-7199" source="CVE"/>
<reference ref_id="CVE-2015-7200" ref_url="https://access.redhat.com/security/cve/CVE-2015-7200" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7194, CVE-2015-7196,
CVE-2015-7198, CVE-2015-7197)
A same-origin policy bypass flaw was found in the way Firefox handled
certain cross-origin resource sharing (CORS) requests. A web page
containing malicious content could cause Firefox to disclose sensitive
information. (CVE-2015-7193)
A same-origin policy bypass flaw was found in the way Firefox handled URLs
containing IP addresses with white-space characters. This could lead to
cross-site scripting attacks. (CVE-2015-7188)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson
Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff
Walden, and Gary Kwong, Michał Bentkowski, Looben Yang, Shinto K Anto,
Gustavo Grieco, Vytautas Staraitis, Ronald Crane, and Ehsan Akhgari as the
original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.4.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-04"/>
<updated date="2015-11-04"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4513">CVE-2015-4513</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7188">CVE-2015-7188</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7189">CVE-2015-7189</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7193">CVE-2015-7193</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7194">CVE-2015-7194</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7196">CVE-2015-7196</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7197">CVE-2015-7197</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7198">CVE-2015-7198</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7199">CVE-2015-7199</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7200">CVE-2015-7200</cve>
<bugzilla href="https://bugzilla.redhat.com/1277332" id="1277332">CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277343" id="1277343">CVE-2015-7188 Mozilla: Trailing whitespace in IP address hostnames can bypass same-origin policy (MFSA 2015-122)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277344" id="1277344">CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277346" id="1277346">CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277347" id="1277347">CVE-2015-7194 Mozilla: Memory corruption in libjar through zip files (MFSA 2015-128)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277349" id="1277349">CVE-2015-7196 Mozilla: JavaScript garbage collection crash with Java applet (MFSA 2015-130)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277350" id="1277350">CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277351" id="1277351">CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.4.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20151982002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.4.0-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20151982008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.4.0-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20151982014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152078" version="601">
<metadata>
<title>RHSA-2015:2078: postgresql security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2078-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2078.html" source="RHSA"/>
<reference ref_id="CVE-2015-5288" ref_url="https://access.redhat.com/security/cve/CVE-2015-5288" source="CVE"/>
<reference ref_id="CVE-2015-5289" ref_url="https://access.redhat.com/security/cve/CVE-2015-5289" source="CVE"/>
<description>PostgreSQL is an advanced object-relational database management system
(DBMS).
A memory leak error was discovered in the crypt() function of the pgCrypto
extension. An authenticated attacker could possibly use this flaw to
disclose a limited amount of the server memory. (CVE-2015-5288)
A stack overflow flaw was discovered in the way the PostgreSQL core server
processed certain JSON or JSONB input. An authenticated attacker could
possibly use this flaw to crash the server backend by sending specially
crafted JSON or JSONB input. (CVE-2015-5289)
Please note that SSL renegotiation is now disabled by default. For more
information, please refer to PostgreSQL's 2015-10-08 Security Update
Release notes, linked to in the References section.
All PostgreSQL users are advised to upgrade to these updated packages,
which correct these issues. If the postgresql service is running, it will
be automatically restarted after installing this update.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-18"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5288">CVE-2015-5288</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5289">CVE-2015-5289</cve>
<bugzilla href="https://bugzilla.redhat.com/1270306" id="1270306">CVE-2015-5288 postgresql: limited memory disclosure flaw in crypt()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1270312" id="1270312">CVE-2015-5289 postgresql: stack overflow DoS when parsing json or jsonb inputs</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="postgresql is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078017"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750006"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-contrib is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078013"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750018"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-devel is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078021"/>
<criterion comment="postgresql-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750014"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-docs is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078007"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750016"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-libs is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078009"/>
<criterion comment="postgresql-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750020"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plperl is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078023"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750012"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plpython is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078015"/>
<criterion comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750008"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-pltcl is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078011"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750022"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-server is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078025"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750010"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-test is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078019"/>
<criterion comment="postgresql-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750024"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-upgrade is earlier than 0:9.2.14-1.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152078005"/>
<criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750037"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152079" version="601">
<metadata>
<title>RHSA-2015:2079: binutils security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2079-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2079.html" source="RHSA"/>
<reference ref_id="CVE-2014-8484" ref_url="https://access.redhat.com/security/cve/CVE-2014-8484" source="CVE"/>
<reference ref_id="CVE-2014-8485" ref_url="https://access.redhat.com/security/cve/CVE-2014-8485" source="CVE"/>
<reference ref_id="CVE-2014-8501" ref_url="https://access.redhat.com/security/cve/CVE-2014-8501" source="CVE"/>
<reference ref_id="CVE-2014-8502" ref_url="https://access.redhat.com/security/cve/CVE-2014-8502" source="CVE"/>
<reference ref_id="CVE-2014-8503" ref_url="https://access.redhat.com/security/cve/CVE-2014-8503" source="CVE"/>
<reference ref_id="CVE-2014-8504" ref_url="https://access.redhat.com/security/cve/CVE-2014-8504" source="CVE"/>
<reference ref_id="CVE-2014-8737" ref_url="https://access.redhat.com/security/cve/CVE-2014-8737" source="CVE"/>
<reference ref_id="CVE-2014-8738" ref_url="https://access.redhat.com/security/cve/CVE-2014-8738" source="CVE"/>
<description>The binutils packages provide a set of binary utilities.
Multiple buffer overflow flaws were found in the libbdf library used by
various binutils utilities. If a user were tricked into processing a
specially crafted file with an application using the libbdf library, it
could cause the application to crash or, potentially, execute arbitrary
code. (CVE-2014-8485, CVE-2014-8501, CVE-2014-8502, CVE-2014-8503,
CVE-2014-8504, CVE-2014-8738)
An integer overflow flaw was found in the libbdf library used by various
binutils utilities. If a user were tricked into processing a specially
crafted file with an application using the libbdf library, it could cause
the application to crash. (CVE-2014-8484)
A directory traversal flaw was found in the strip and objcopy utilities.
A specially crafted file could cause strip or objdump to overwrite an
arbitrary file writable by the user running either of these utilities.
(CVE-2014-8737)
This update fixes the following bugs:
* Binary files started by the system loader could lack the Relocation
Read-Only (RELRO) protection even though it was explicitly requested when
the application was built. This bug has been fixed on multiple
architectures. Applications and all dependent object files, archives, and
libraries built with an alpha or beta version of binutils should be rebuilt
to correct this defect. (BZ#1200138, BZ#1175624)
* The ld linker on 64-bit PowerPC now correctly checks the output format
when asked to produce a binary in another format than PowerPC. (BZ#1226864)
* An important variable that holds the symbol table for the binary being
debugged has been made persistent, and the objdump utility on 64-bit
PowerPC is now able to access the needed information without reading an
invalid memory region. (BZ#1172766)
* Undesirable runtime relocations described in RHBA-2015:0974. (BZ#872148)
The update adds these enhancements:
* New hardware instructions of the IBM z Systems z13 are now supported by
assembler, disassembler, and linker, as well as Single Instruction,
Multiple Data (SIMD) instructions. (BZ#1182153)
* Expressions of the form: "FUNC@localentry" to refer to the local entry
point for the FUNC function (if defined) are now supported by the PowerPC
assembler. These are required by the ELFv2 ABI on the little-endian variant
of IBM Power Systems. (BZ#1194164)
All binutils users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-01"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8484">CVE-2014-8484</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8485">CVE-2014-8485</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8501">CVE-2014-8501</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8502">CVE-2014-8502</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8503">CVE-2014-8503</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8504">CVE-2014-8504</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8737">CVE-2014-8737</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8738">CVE-2014-8738</cve>
<bugzilla href="https://bugzilla.redhat.com/1156272" id="1156272">CVE-2014-8484 binutils: invalid read flaw in libbfd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1157276" id="1157276">CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162570" id="1162570">CVE-2014-8501 binutils: out-of-bounds write when parsing specially crafted PE executable</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162594" id="1162594">CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162607" id="1162607">CVE-2014-8503 binutils: stack overflow in objdump when parsing specially crafted ihex file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162621" id="1162621">CVE-2014-8504 binutils: stack overflow in the SREC parser</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162655" id="1162655">CVE-2014-8737 binutils: directory traversal vulnerability</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162666" id="1162666">CVE-2014-8738 binutils: out of bounds memory write</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172766" id="1172766">ppc64: segv in libbfd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1200138" id="1200138">binutils: ld sporadically generates binaries without relro protection even when told so</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203603" id="1203603">The binutils package contains the windmc(1) manual page but the utility is not included</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1238783" id="1238783">[aarch64][binutils] relocation truncated to fit: R_AARCH64_LD64_GOT_LO12_NC against</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="binutils is earlier than 0:2.23.52.0.1-55.el7" test_ref="oval:com.redhat.rhsa:tst:20152079005"/>
<criterion comment="binutils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152079006"/>
</criteria>
<criteria operator="AND">
<criterion comment="binutils-devel is earlier than 0:2.23.52.0.1-55.el7" test_ref="oval:com.redhat.rhsa:tst:20152079007"/>
<criterion comment="binutils-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152079008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152086" version="601">
<metadata>
<title>RHSA-2015:2086: java-1.6.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2086-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2086.html" source="RHSA"/>
<reference ref_id="CVE-2015-4734" ref_url="https://access.redhat.com/security/cve/CVE-2015-4734" source="CVE"/>
<reference ref_id="CVE-2015-4803" ref_url="https://access.redhat.com/security/cve/CVE-2015-4803" source="CVE"/>
<reference ref_id="CVE-2015-4805" ref_url="https://access.redhat.com/security/cve/CVE-2015-4805" source="CVE"/>
<reference ref_id="CVE-2015-4806" ref_url="https://access.redhat.com/security/cve/CVE-2015-4806" source="CVE"/>
<reference ref_id="CVE-2015-4835" ref_url="https://access.redhat.com/security/cve/CVE-2015-4835" source="CVE"/>
<reference ref_id="CVE-2015-4842" ref_url="https://access.redhat.com/security/cve/CVE-2015-4842" source="CVE"/>
<reference ref_id="CVE-2015-4843" ref_url="https://access.redhat.com/security/cve/CVE-2015-4843" source="CVE"/>
<reference ref_id="CVE-2015-4844" ref_url="https://access.redhat.com/security/cve/CVE-2015-4844" source="CVE"/>
<reference ref_id="CVE-2015-4860" ref_url="https://access.redhat.com/security/cve/CVE-2015-4860" source="CVE"/>
<reference ref_id="CVE-2015-4872" ref_url="https://access.redhat.com/security/cve/CVE-2015-4872" source="CVE"/>
<reference ref_id="CVE-2015-4881" ref_url="https://access.redhat.com/security/cve/CVE-2015-4881" source="CVE"/>
<reference ref_id="CVE-2015-4882" ref_url="https://access.redhat.com/security/cve/CVE-2015-4882" source="CVE"/>
<reference ref_id="CVE-2015-4883" ref_url="https://access.redhat.com/security/cve/CVE-2015-4883" source="CVE"/>
<reference ref_id="CVE-2015-4893" ref_url="https://access.redhat.com/security/cve/CVE-2015-4893" source="CVE"/>
<reference ref_id="CVE-2015-4903" ref_url="https://access.redhat.com/security/cve/CVE-2015-4903" source="CVE"/>
<reference ref_id="CVE-2015-4911" ref_url="https://access.redhat.com/security/cve/CVE-2015-4911" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,
and 2D components in OpenJDK. An untrusted Java application or applet could
use these flaws to completely bypass Java sandbox restrictions.
(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,
CVE-2015-4805, CVE-2015-4844)
Multiple denial of service flaws were found in the JAXP component in
OpenJDK. A specially crafted XML file could cause a Java application using
JAXP to consume an excessive amount of CPU and memory when parsed.
(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)
It was discovered that the Security component in OpenJDK failed to properly
check if a certificate satisfied all defined constraints. In certain cases,
this could cause a Java application to accept an X.509 certificate which
does not meet requirements of the defined policy. (CVE-2015-4872)
Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4806,
CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903)
Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the
CVE-2015-4806 issue.
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-18"/>
<updated date="2015-11-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4734">CVE-2015-4734</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4803">CVE-2015-4803</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4805">CVE-2015-4805</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4806">CVE-2015-4806</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4835">CVE-2015-4835</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4842">CVE-2015-4842</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4843">CVE-2015-4843</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4844">CVE-2015-4844</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4860">CVE-2015-4860</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4872">CVE-2015-4872</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4881">CVE-2015-4881</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4882">CVE-2015-4882</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4883">CVE-2015-4883</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4893">CVE-2015-4893</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4903">CVE-2015-4903</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4911">CVE-2015-4911</cve>
<bugzilla href="https://bugzilla.redhat.com/1233687" id="1233687">CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273022" id="1273022">CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273027" id="1273027">CVE-2015-4881 OpenJDK: missing type checks in IIOPInputStream (CORBA, 8076392)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273053" id="1273053">CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273304" id="1273304">CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273308" id="1273308">CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273311" id="1273311">CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273318" id="1273318">CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273414" id="1273414">CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273425" id="1273425">CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273430" id="1273430">CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273496" id="1273496">CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273637" id="1273637">CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273638" id="1273638">CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273645" id="1273645">CVE-2015-4911 OpenJDK: incomplete supportDTD enforcement (JAXP, 8130078)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1273734" id="1273734">CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.37-1.13.9.4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152086002"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.37-1.13.9.4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152086004"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.37-1.13.9.4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152086008"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.37-1.13.9.4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152086010"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.37-1.13.9.4.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152086006"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.37-1.13.9.4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152086020"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.37-1.13.9.4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152086018"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.37-1.13.9.4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152086022"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.37-1.13.9.4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152086016"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.37-1.13.9.4.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152086024"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.37-1.13.9.4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152086032"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.37-1.13.9.4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152086033"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.37-1.13.9.4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152086034"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.37-1.13.9.4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152086030"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.37-1.13.9.4.el7_1" test_ref="oval:com.redhat.rhsa:tst:20152086031"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152088" version="601">
<metadata>
<title>RHSA-2015:2088: openssh security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2088-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2088.html" source="RHSA"/>
<reference ref_id="CVE-2015-5600" ref_url="https://access.redhat.com/security/cve/CVE-2015-5600" source="CVE"/>
<reference ref_id="CVE-2015-6563" ref_url="https://access.redhat.com/security/cve/CVE-2015-6563" source="CVE"/>
<reference ref_id="CVE-2015-6564" ref_url="https://access.redhat.com/security/cve/CVE-2015-6564" source="CVE"/>
<description>OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These
packages include the core files necessary for both the OpenSSH client and
server.
A flaw was found in the way OpenSSH handled PAM authentication when using
privilege separation. An attacker with valid credentials on the system and
able to fully compromise a non-privileged pre-authentication process using
a different flaw could use this flaw to authenticate as other users.
(CVE-2015-6563)
A use-after-free flaw was found in OpenSSH. An attacker able to fully
compromise a non-privileged pre-authentication process using a different
flaw could possibly cause sshd to crash or execute arbitrary code with
root privileges. (CVE-2015-6564)
It was discovered that the OpenSSH sshd daemon did not check the list of
keyboard-interactive authentication methods for duplicates. A remote
attacker could use this flaw to bypass the MaxAuthTries limit, making it
easier to perform password guessing attacks. (CVE-2015-5600)
It was found that the OpenSSH ssh-agent, a program to hold private keys
used for public key authentication, was vulnerable to password guessing
attacks. An attacker able to connect to the agent could use this flaw to
conduct a brute-force attack to unlock keys in the ssh-agent. (BZ#1238238)
This update fixes the following bugs:
* Previously, the sshd_config(5) man page was misleading and could thus
confuse the user. This update improves the man page text to clearly
describe the AllowGroups feature. (BZ#1150007)
* The limit for the function for restricting the number of files listed using the wildcard character (*) that prevents the Denial of Service (DoS) for both server and client was previously set too low. Consequently, the user reaching the limit was prevented from listing a directory with a large number of files over Secure File Transfer Protocol (SFTP). This update increases the aforementioned limit, thus fixing this bug. (BZ#1160377)
* When the ForceCommand option with a pseudoterminal was used and the
MaxSession option was set to "2", multiplexed SSH connections did not work
as expected. After the user attempted to open a second multiplexed
connection, the attempt failed if the first connection was still open. This
update modifies OpenSSH to issue only one audit message per session, and
the user is thus able to open two multiplexed connections in this
situation. (BZ#1199112)
* The ssh-copy-id utility failed if the account on the remote server did
not use an sh-like shell. Remote commands have been modified to run in an
sh-like shell, and ssh-copy-id now works also with non-sh-like shells.
(BZ#1201758)
* Due to a race condition between auditing messages and answers when using
ControlMaster multiplexing, one session in the shared connection randomly
and unexpectedly exited the connection. This update fixes the race
condition in the auditing code, and multiplexing connections now work as
expected even with a number of sessions created at once. (BZ#1240613)
In addition, this update adds the following enhancements:
* As not all Lightweight Directory Access Protocol (LDAP) servers possess
a default schema, as expected by the ssh-ldap-helper program, this update
provides the user with an ability to adjust the LDAP query to get public
keys from servers with a different schema, while the default functionality
stays untouched. (BZ#1201753)
* With this enhancement update, the administrator is able to set
permissions for files uploaded using Secure File Transfer Protocol (SFTP).
(BZ#1197989)
* This update provides the LDAP schema in LDAP Data Interchange Format (LDIF) format as a complement to the old schema previously accepted
by OpenLDAP. (BZ#1184938)
* With this update, the user can selectively disable the Generic Security
Services API (GSSAPI) key exchange algorithms as any normal key exchange.
(BZ#1253062)
Users of openssh are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-11"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5600">CVE-2015-5600</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6563">CVE-2015-6563</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6564">CVE-2015-6564</cve>
<bugzilla href="https://bugzilla.redhat.com/1125110" id="1125110">pam_namespace usage is not consistent across system-wide PAM configuration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1160377" id="1160377">sftp is failing using wildcards and many files</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1178116" id="1178116">Default selinux policy prevents ssh-ldap-helper from connecting to LDAP server</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181591" id="1181591">No Documentation= line in the sshd.service file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184938" id="1184938">Provide LDIF version of LPK schema</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187597" id="1187597">sshd -T does not show all (default) options, inconsistency</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1197666" id="1197666">ssh client using HostbasedAuthentication aborts in FIPS mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1197989" id="1197989">RFE: option to let openssh/sftp force the exact permissions on newly uploaded files</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1238238" id="1238238">openssh: weakness of agent locking (ssh-add -x) to password guessing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1245969" id="1245969">CVE-2015-5600 openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252844" id="1252844">CVE-2015-6563 openssh: Privilege separation weakness related to PAM support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252852" id="1252852">CVE-2015-6564 openssh: Use-after-free bug related to PAM support</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssh is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088013"/>
<criterion comment="openssh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-askpass is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088015"/>
<criterion comment="openssh-askpass is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-clients is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088005"/>
<criterion comment="openssh-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425018"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-keycat is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088017"/>
<criterion comment="openssh-keycat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425012"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-ldap is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088019"/>
<criterion comment="openssh-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-server is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088007"/>
<criterion comment="openssh-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-server-sysvinit is earlier than 0:6.6.1p1-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088009"/>
<criterion comment="openssh-server-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425016"/>
</criteria>
<criteria operator="AND">
<criterion comment="pam_ssh_agent_auth is earlier than 0:0.9.3-9.22.el7" test_ref="oval:com.redhat.rhsa:tst:20152088011"/>
<criterion comment="pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152101" version="601">
<metadata>
<title>RHSA-2015:2101: python security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2101-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2101.html" source="RHSA"/>
<reference ref_id="CVE-2013-1752" ref_url="https://access.redhat.com/security/cve/CVE-2013-1752" source="CVE"/>
<reference ref_id="CVE-2013-1753" ref_url="https://access.redhat.com/security/cve/CVE-2013-1753" source="CVE"/>
<reference ref_id="CVE-2014-4616" ref_url="https://access.redhat.com/security/cve/CVE-2014-4616" source="CVE"/>
<reference ref_id="CVE-2014-4650" ref_url="https://access.redhat.com/security/cve/CVE-2014-4650" source="CVE"/>
<reference ref_id="CVE-2014-7185" ref_url="https://access.redhat.com/security/cve/CVE-2014-7185" source="CVE"/>
<description>Python is an interpreted, interactive, object-oriented programming language
often compared to Tcl, Perl, Scheme, or Java. Python includes modules,
classes, exceptions, very high level dynamic data types and dynamic typing.
Python supports interfaces to many system calls and libraries, as well as
to various windowing systems (X11, Motif, Tk, Mac and MFC).
It was discovered that the Python xmlrpclib module did not restrict the
size of gzip-compressed HTTP responses. A malicious XMLRPC server could
cause an XMLRPC client using xmlrpclib to consume an excessive amount of
memory. (CVE-2013-1753)
It was discovered that multiple Python standard library modules
implementing network protocols (such as httplib or smtplib) failed to
restrict the sizes of server responses. A malicious server could cause a
client using one of the affected modules to consume an excessive amount of
memory. (CVE-2013-1752)
It was discovered that the CGIHTTPServer module incorrectly handled URL
encoded paths. A remote attacker could use this flaw to execute scripts
outside of the cgi-bin directory, or disclose the source code of the
scripts in the cgi-bin directory. (CVE-2014-4650)
An integer overflow flaw was found in the way the buffer() function handled
its offset and size arguments. An attacker able to control these arguments
could use this flaw to disclose portions of the application memory or cause
it to crash. (CVE-2014-7185)
A flaw was found in the way the json module handled negative index
arguments passed to certain functions (such as raw_decode()). An attacker
able to control the index value passed to one of the affected functions
could possibly use this flaw to disclose portions of the application
memory. (CVE-2014-4616)
The Python standard library HTTP client modules (such as httplib or urllib)
did not perform verification of TLS/SSL certificates when connecting to
HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack
connections and eavesdrop or modify transferred data. (CVE-2014-9365)
Note: The Python standard library was updated to make it possible to enable
certificate verification by default. However, for backwards compatibility,
verification remains disabled by default. Future updates may change this
default. Refer to the Knowledgebase article 2039753 linked to in the
References section for further details about this change. (BZ#1219108)
This update also fixes the following bugs:
* Subprocesses used with the Eventlet library or regular threads previously
tried to close epoll file descriptors twice, which led to an "Invalid
argument" error. Subprocesses have been fixed to close the file descriptors
only once. (BZ#1103452)
* When importing the readline module from a Python script, Python no longer
produces erroneous random characters on stdout. (BZ#1189301)
* The cProfile utility has been fixed to print all values that the "-s"
option supports when this option is used without a correct value.
(BZ#1237107)
* The load_cert_chain() function now accepts "None" as a keyfile argument.
(BZ#1250611)
In addition, this update adds the following enhancements:
* Security enhancements as described in PEP 466 have been backported to the
Python standard library, for example, new features of the ssl module:
Server Name Indication (SNI) support, support for new TLSv1.x protocols,
new hash algorithms in the hashlib module, and many more. (BZ#1111461)
* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl
library. (BZ#1192015)
* The ssl.SSLSocket.version() method is now available to access information
about the version of the SSL protocol used in a connection. (BZ#1259421)
All python users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-25"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-1752">CVE-2013-1752</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2013-1753">CVE-2013-1753</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4616">CVE-2014-4616</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-4650">CVE-2014-4650</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7185">CVE-2014-7185</cve>
<bugzilla href="https://bugzilla.redhat.com/1046170" id="1046170">CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1046174" id="1046174">CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1058482" id="1058482">tmpwatch removes python multiprocessing sockets</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1112285" id="1112285">CVE-2014-4616 python: missing boundary check in JSON module</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113527" id="1113527">CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1146026" id="1146026">CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1173041" id="1173041">CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1177613" id="1177613">setup.py bdist_rpm NameError: global name 'get_python_version' is not defined</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181624" id="1181624">multiprocessing BaseManager serve_client() does not check EINTR on recv</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1237107" id="1237107">cProfile main() traceback if options syntax is invalid</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1250611" id="1250611">SSLContext.load_cert_chain() keyfile argument can't be set to None</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1259421" id="1259421">Backport SSLSocket.version() to python 2.7.5</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="python is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101005"/>
<criterion comment="python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101006"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-debug is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101015"/>
<criterion comment="python-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101016"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-devel is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101017"/>
<criterion comment="python-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101018"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-libs is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101013"/>
<criterion comment="python-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-test is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101009"/>
<criterion comment="python-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101010"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-tools is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101007"/>
<criterion comment="python-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101008"/>
</criteria>
<criteria operator="AND">
<criterion comment="tkinter is earlier than 0:2.7.5-34.el7" test_ref="oval:com.redhat.rhsa:tst:20152101011"/>
<criterion comment="tkinter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152101012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152108" version="601">
<metadata>
<title>RHSA-2015:2108: cpio security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2108-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2108.html" source="RHSA"/>
<reference ref_id="CVE-2014-9112" ref_url="https://access.redhat.com/security/cve/CVE-2014-9112" source="CVE"/>
<description>The cpio packages provide the GNU cpio utility for creating and extracting
archives, or copying files from one place to another.
A heap-based buffer overflow flaw was found in cpio's list_file() function.
An attacker could provide a specially crafted archive that, when processed
by cpio, would crash cpio, or potentially lead to arbitrary code execution.
(CVE-2014-9112)
This update fixes the following bugs:
* Previously, during archive creation, cpio internals did not detect a
read() system call failure. Based on the premise that the call succeeded,
cpio terminated unexpectedly with a segmentation fault without processing
further files. The underlying source code has been patched, and an archive
is now created successfully. (BZ#1138148)
* Previously, running the cpio command without parameters on Red Hat
Enterprise Linux 7 with Russian as the default language resulted in an
error message that was not accurate in Russian due to an error in spelling.
This has been corrected and the Russian error message is spelled correctly.
(BZ#1075513)
All cpio users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-21"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9112">CVE-2014-9112</cve>
<bugzilla href="https://bugzilla.redhat.com/1075513" id="1075513">[PATCH] Typo in ru.po</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1167571" id="1167571">CVE-2014-9112 cpio: heap-based buffer overflow flaw in list_file()</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="cpio is earlier than 0:2.11-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152108005"/>
<criterion comment="cpio is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152108006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152111" version="601">
<metadata>
<title>RHSA-2015:2111: grep security and bug fix update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2111-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2111.html" source="RHSA"/>
<reference ref_id="CVE-2015-1345" ref_url="https://access.redhat.com/security/cve/CVE-2015-1345" source="CVE"/>
<description>The grep utility searches through textual input for lines that contain a
match to a specified pattern and then prints the matching lines. The GNU
grep utilities include grep, egrep, and fgrep.
A heap-based buffer overflow flaw was found in the way grep processed
certain pattern and text combinations. An attacker able to trick a user
into running grep on specially crafted input could use this flaw to crash
grep or, potentially, read from uninitialized memory. (CVE-2015-1345)
This update also fixes the following bugs:
* Prior to this update, the \w and \W symbols were inconsistently matched
to the [:alnum:] character class. Consequently, using regular expressions
with "\w" and "\W" could lead to incorrect results. With this update, "\w"
is consistently matched to the [_[:alnum:]] character, and "\W" is
consistently matched to the [^_[:alnum:]] character. (BZ#1159012)
* Previously, the Perl Compatible Regular Expression (PCRE) matcher
(selected by the "-P" parameter in grep) did not work correctly when
matching non-UTF-8 text in UTF-8 locales. Consequently, an error message
about invalid UTF-8 byte sequence characters was returned. To fix this bug,
patches from upstream have been applied to the grep utility. As a result,
PCRE now skips non-UTF-8 characters as non-matching text without returning
any error message. (BZ#1217080)
All grep users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-29"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1345">CVE-2015-1345</cve>
<bugzilla href="https://bugzilla.redhat.com/1103259" id="1103259">undocumented option --fixed-regexp</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159012" id="1159012">inconsistent \w and [[:alnum:]] behaviour</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183651" id="1183651">CVE-2015-1345 grep: heap buffer overrun</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="grep is earlier than 0:2.20-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152111005"/>
<criterion comment="grep is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152111006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152131" version="601">
<metadata>
<title>RHSA-2015:2131: openldap security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2131-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2131.html" source="RHSA"/>
<reference ref_id="CVE-2015-3276" ref_url="https://access.redhat.com/security/cve/CVE-2015-3276" source="CVE"/>
<description>OpenLDAP is an open-source suite of Lightweight Directory Access Protocol
(LDAP) applications and development tools. LDAP is a set of protocols used
to access and maintain distributed directory information services over an
IP network. The openldap packages contain configuration files, libraries,
and documentation for OpenLDAP.
A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings.
As a result, OpenLDAP could potentially use ciphers that were not intended
to be enabled. (CVE-2015-3276)
This issue was discovered by Martin Poole of the Red Hat Software
Maintenance Engineering group.
The openldap packages have been upgraded to upstream version 2.4.40, which
provides a number of bug fixes and one enhancement over the previous
version:
* The ORDERING matching rules have been added to the ppolicy attribute type
descriptions.
* The server no longer terminates unexpectedly when processing SRV records.
* Missing objectClass information has been added, which enables the user to
modify the front-end configuration by standard means.
(BZ#1147982)
This update also fixes the following bugs:
* Previously, OpenLDAP did not properly handle a number of simultaneous
updates. As a consequence, sending a number of parallel update requests to
the server could cause a deadlock. With this update, a superfluous locking
mechanism causing the deadlock has been removed, thus fixing the bug.
(BZ#1125152)
* The httpd service sometimes terminated unexpectedly with a segmentation
fault on the libldap library unload. The underlying source code has been
modified to prevent a bad memory access error that caused the bug to occur.
As a result, httpd no longer crashes in this situation. (BZ#1158005)
* After upgrading the system from Red Hat Enterprise Linux 6 to Red Hat
Enterprise Linux 7, symbolic links to certain libraries unexpectedly
pointed to locations belonging to the openldap-devel package. If the user
uninstalled openldap-devel, the symbolic links were broken and the "rpm -V
openldap" command sometimes produced errors. With this update, the symbolic
links no longer get broken in the described situation. If the user
downgrades openldap to version 2.4.39-6 or earlier, the symbolic links
might break. After such downgrade, it is recommended to verify that the
symbolic links did not break. To do this, make sure the yum-plugin-verify
package is installed and obtain the target libraries by running the "rpm -V
openldap" or "yum verify openldap" command. (BZ#1230263)
In addition, this update adds the following enhancement:
* OpenLDAP clients now automatically choose the Network Security Services
(NSS) default cipher suites for communication with the server. It is no
longer necessary to maintain the default cipher suites manually in the
OpenLDAP source code. (BZ#1245279)
All openldap users are advised to upgrade to these updated packages, which
correct these issues and add this enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-26"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3276">CVE-2015-3276</cve>
<bugzilla href="https://bugzilla.redhat.com/1147982" id="1147982">Rebase openldap to 2.4.40</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158005" id="1158005">OpenLDAP crash in NSS shutdown handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174634" id="1174634">pwdChecker library requires version in pwdCheckModule attribute</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174723" id="1174723">values for pwdChecker are not set to default values</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175415" id="1175415">openldap: crash in ldap_domain2hostlist when processing SRV records</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184585" id="1184585">slaptest doesn't convert perlModuleConfig lines</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209229" id="1209229">openldap-servers leverages 'find' from findutils which is not a dep of the rpm</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1226600" id="1226600">olcDatabase in olcFrontend attribute incorrect/faulty</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1230263" id="1230263">rpm -V openldap complains</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1231228" id="1231228">automount via ldap with TLS/SSL support is not working</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1238322" id="1238322">CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1245279" id="1245279">OpenLDAP doesn't use sane (or default) cipher order</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openldap is earlier than 0:2.4.40-8.el7" test_ref="oval:com.redhat.rhsa:tst:20152131011"/>
<criterion comment="openldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840023"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-clients is earlier than 0:2.4.40-8.el7" test_ref="oval:com.redhat.rhsa:tst:20152131009"/>
<criterion comment="openldap-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840027"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-devel is earlier than 0:2.4.40-8.el7" test_ref="oval:com.redhat.rhsa:tst:20152131005"/>
<criterion comment="openldap-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840021"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers is earlier than 0:2.4.40-8.el7" test_ref="oval:com.redhat.rhsa:tst:20152131013"/>
<criterion comment="openldap-servers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840029"/>
</criteria>
<criteria operator="AND">
<criterion comment="openldap-servers-sql is earlier than 0:2.4.40-8.el7" test_ref="oval:com.redhat.rhsa:tst:20152131007"/>
<criterion comment="openldap-servers-sql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151840025"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152140" version="601">
<metadata>
<title>RHSA-2015:2140: libssh2 security and bug fix update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2140-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2140.html" source="RHSA"/>
<reference ref_id="CVE-2015-1782" ref_url="https://access.redhat.com/security/cve/CVE-2015-1782" source="CVE"/>
<description>The libssh2 packages provide a library that implements the SSH2 protocol.
A flaw was found in the way the kex_agree_methods() function of libssh2
performed a key exchange when negotiating a new SSH session. A
man-in-the-middle attacker could use a crafted SSH_MSG_KEXINIT packet to
crash a connecting libssh2 client. (CVE-2015-1782)
This update also fixes the following bugs:
* Previously, libssh2 did not correctly adjust the size of the receive
window while reading from an SSH channel. This caused downloads over
the secure copy (SCP) protocol to consume an excessive amount of memory.
A series of upstream patches has been applied on the libssh2 source code to
improve handling of the receive window size. Now, SCP downloads work as
expected. (BZ#1080459)
* Prior to this update, libssh2 did not properly initialize an internal
variable holding the SSH agent file descriptor, which caused the agent
destructor to close the standard input file descriptor by mistake.
An upstream patch has been applied on libssh2 sources to properly
initialize the internal variable. Now, libssh2 closes only the file
descriptors it owns. (BZ#1147717)
All libssh2 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing these
updated packages, all running applications using libssh2 must be restarted
for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-05"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1782">CVE-2015-1782</cve>
<bugzilla href="https://bugzilla.redhat.com/1147717" id="1147717">free'ing a not-connected agent closes STDIN</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199511" id="1199511">CVE-2015-1782 libssh2: Using SSH_MSG_KEXINIT data unbounded</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libssh2 is earlier than 0:1.4.3-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152140005"/>
<criterion comment="libssh2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152140006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libssh2-devel is earlier than 0:1.4.3-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152140007"/>
<criterion comment="libssh2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152140008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libssh2-docs is earlier than 0:1.4.3-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152140009"/>
<criterion comment="libssh2-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152140010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152151" version="601">
<metadata>
<title>RHSA-2015:2151: xfsprogs security, bug fix and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2151-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2151.html" source="RHSA"/>
<reference ref_id="CVE-2012-2150" ref_url="https://access.redhat.com/security/cve/CVE-2012-2150" source="CVE"/>
<description>The xfsprogs packages contain a set of commands to use the XFS file system,
including the mkfs.xfs command to construct an XFS system.
It was discovered that the xfs_metadump tool of the xfsprogs suite did not
fully adhere to the standards of obfuscation described in its man page. In
case a user with the necessary privileges used xfs_metadump and relied on
the advertised obfuscation, the generated data could contain unexpected
traces of potentially sensitive information. (CVE-2012-2150)
The xfsprogs packages have been upgraded to upstream version 3.2.2, which
provides a number of bug fixes and enhancements over the previous version.
This release also includes updates present in upstream version 3.2.3,
although it omits the mkfs.xfs default disk format change (for metadata
checksumming) which is present upstream. (BZ#1223991)
Users of xfsprogs are advised to upgrade to these updated packages, which
fix these bugs and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-14"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2012-2150">CVE-2012-2150</cve>
<bugzilla href="https://bugzilla.redhat.com/817696" id="817696">CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1201238" id="1201238">xfs_repair verify the last secondary superblock corruption failed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223991" id="1223991">Rebase xfsprogs to 3.2.3 (pending upstream)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="xfsprogs is earlier than 0:3.2.2-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152151005"/>
<criterion comment="xfsprogs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152151006"/>
</criteria>
<criteria operator="AND">
<criterion comment="xfsprogs-devel is earlier than 0:3.2.2-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152151007"/>
<criterion comment="xfsprogs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152151008"/>
</criteria>
<criteria operator="AND">
<criterion comment="xfsprogs-qa-devel is earlier than 0:3.2.2-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152151009"/>
<criterion comment="xfsprogs-qa-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152151010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152152" version="603">
<metadata>
<title>RHSA-2015:2152: kernel security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2152-02" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2152.html" source="RHSA"/>
<reference ref_id="CVE-2010-5313" ref_url="https://access.redhat.com/security/cve/CVE-2010-5313" source="CVE"/>
<reference ref_id="CVE-2013-7421" ref_url="https://access.redhat.com/security/cve/CVE-2013-7421" source="CVE"/>
<reference ref_id="CVE-2014-3647" ref_url="https://access.redhat.com/security/cve/CVE-2014-3647" source="CVE"/>
<reference ref_id="CVE-2014-7842" ref_url="https://access.redhat.com/security/cve/CVE-2014-7842" source="CVE"/>
<reference ref_id="CVE-2014-8171" ref_url="https://access.redhat.com/security/cve/CVE-2014-8171" source="CVE"/>
<reference ref_id="CVE-2014-9419" ref_url="https://access.redhat.com/security/cve/CVE-2014-9419" source="CVE"/>
<reference ref_id="CVE-2014-9644" ref_url="https://access.redhat.com/security/cve/CVE-2014-9644" source="CVE"/>
<reference ref_id="CVE-2015-0239" ref_url="https://access.redhat.com/security/cve/CVE-2015-0239" source="CVE"/>
<reference ref_id="CVE-2015-2925" ref_url="https://access.redhat.com/security/cve/CVE-2015-2925" source="CVE"/>
<reference ref_id="CVE-2015-3339" ref_url="https://access.redhat.com/security/cve/CVE-2015-3339" source="CVE"/>
<reference ref_id="CVE-2015-4170" ref_url="https://access.redhat.com/security/cve/CVE-2015-4170" source="CVE"/>
<reference ref_id="CVE-2015-5283" ref_url="https://access.redhat.com/security/cve/CVE-2015-5283" source="CVE"/>
<reference ref_id="CVE-2015-6526" ref_url="https://access.redhat.com/security/cve/CVE-2015-6526" source="CVE"/>
<reference ref_id="CVE-2015-7613" ref_url="https://access.redhat.com/security/cve/CVE-2015-7613" source="CVE"/>
<reference ref_id="CVE-2015-7837" ref_url="https://access.redhat.com/security/cve/CVE-2015-7837" source="CVE"/>
<reference ref_id="CVE-2016-0774" ref_url="https://access.redhat.com/security/cve/CVE-2016-0774" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's file system implementation
handled rename operations in which the source was inside and the
destination was outside of a bind mount. A privileged user inside a
container could use this flaw to escape the bind mount and, potentially,
escalate their privileges on the system. (CVE-2015-2925, Important)
* A race condition flaw was found in the way the Linux kernel's IPC
subsystem initialized certain fields in an IPC object structure that were
later used for permission checking before inserting the object into a
globally visible list. A local, unprivileged user could potentially use
this flaw to elevate their privileges on the system. (CVE-2015-7613,
Important)
* It was found that reporting emulation failures to user space could lead
to either a local (CVE-2014-7842) or a L2->L1 (CVE-2010-5313) denial of
service. In the case of a local denial of service, an attacker must have
access to the MMIO area or be able to access an I/O port. (CVE-2010-5313,
CVE-2014-7842, Moderate)
* A flaw was found in the way the Linux kernel's KVM subsystem handled
non-canonical addresses when emulating instructions that change the RIP
(for example, branches or calls). A guest user with access to an I/O or
MMIO region could use this flaw to crash the guest. (CVE-2014-3647,
Moderate)
* It was found that the Linux kernel memory resource controller's (memcg)
handling of OOM (out of memory) conditions could lead to deadlocks.
An attacker could use this flaw to lock up the system. (CVE-2014-8171,
Moderate)
* A race condition flaw was found between the chown and execve system
calls. A local, unprivileged user could potentially use this flaw to
escalate their privileges on the system. (CVE-2015-3339, Moderate)
* A flaw was discovered in the way the Linux kernel's TTY subsystem handled
the tty shutdown phase. A local, unprivileged user could use this flaw to
cause a denial of service on the system. (CVE-2015-4170, Moderate)
* A NULL pointer dereference flaw was found in the SCTP implementation.
A local user could use this flaw to cause a denial of service on the system
by triggering a kernel panic when creating multiple sockets in parallel
while the system did not have the SCTP module loaded. (CVE-2015-5283,
Moderate)
* A flaw was found in the way the Linux kernel's perf subsystem retrieved
userlevel stack traces on PowerPC systems. A local, unprivileged user could
use this flaw to cause a denial of service on the system. (CVE-2015-6526,
Moderate)
* A flaw was found in the way the Linux kernel's Crypto subsystem handled
automatic loading of kernel modules. A local user could use this flaw to
load any installed kernel module, and thus increase the attack surface of
the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)
* An information leak flaw was found in the way the Linux kernel changed
certain segment registers and thread-local storage (TLS) during a context
switch. A local, unprivileged user could use this flaw to leak the user
space TLS base address of an arbitrary process. (CVE-2014-9419, Low)
* It was found that the Linux kernel KVM subsystem's sysenter instruction
emulation was not sufficient. An unprivileged guest user could use this
flaw to escalate their privileges by tricking the hypervisor to emulate a
SYSENTER instruction in 16-bit mode, if the guest OS did not initialize the
SYSENTER model-specific registers (MSRs). Note: Certified guest operating
systems for Red Hat Enterprise Linux with KVM do initialize the SYSENTER
MSRs and are thus not vulnerable to this issue when running on a KVM
hypervisor. (CVE-2015-0239, Low)
* A flaw was found in the way the Linux kernel handled the securelevel
functionality after performing a kexec operation. A local attacker could
use this flaw to bypass the security mechanism of the
securelevel/secureboot combination. (CVE-2015-7837, Low)</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-19"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2010-5313">CVE-2010-5313</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2013-7421">CVE-2013-7421</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3647">CVE-2014-3647</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-7842">CVE-2014-7842</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8171">CVE-2014-8171</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9419">CVE-2014-9419</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9644">CVE-2014-9644</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0239">CVE-2015-0239</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2925">CVE-2015-2925</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3339">CVE-2015-3339</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4170">CVE-2015-4170</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5283">CVE-2015-5283</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6526">CVE-2015-6526</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7613">CVE-2015-7613</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7837">CVE-2015-7837</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0774">CVE-2016-0774</cve>
<bugzilla href="https://bugzilla.redhat.com/839466" id="839466">ext4: ext4 driver should reject nonsensical mount options for ext2 and ext3</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033907" id="1033907">Test case failure: Outputs - DVI on Radeon HD 7850 [1002:6819]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033908" id="1033908">Test case failure: Multihead - Large Desktop on Radeon HD 7850 [1002:6819]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033910" id="1033910">Test case failure: Panning on Radeon HD 7850 [1002:6819]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1033911" id="1033911">Test case failure: Screen - Change Monitors on Radeon HD 7850 [1002:6819]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1034497" id="1034497">Test case failure: KMS - Log out after suspend/resume on AMD/ATI Kaveri [1002:1304]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1036792" id="1036792">PXE boot 5-10x slower in RHEL due to invalid guest state emulation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1064059" id="1064059">clock_nanosleep returns early with TIMER_ABSTIME</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076738" id="1076738">No RHGB on some new ATI hardware</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1076769" id="1076769">Test case failure: KMS - Log out after suspend/resume on ATI Pitcairn PRO [Radeon HD 7850] [1002:6819]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144897" id="1144897">CVE-2014-3647 kernel: kvm: noncanonical rip after emulation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163762" id="1163762">CVE-2010-5313 CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1177260" id="1177260">CVE-2014-9419 kernel: partial ASLR bypass through TLS base addresses leak</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182243" id="1182243">partition scan in losetup does not succeed when bound repeatedly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184155" id="1184155">Dynamic tickless feature not working in RHEL7 KVM guest</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185469" id="1185469">CVE-2013-7421 Linux kernel: crypto api unprivileged arbitrary module load via request_module()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1186112" id="1186112">[thinkpad] Support the Lenovo early 2015 models touchpad (X1 Carbon 3rd, T450, W541)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1186448" id="1186448">CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1190546" id="1190546">CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191604" id="1191604">DM RAID - Add support for 'raid0' mappings to device-mapper raid target</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198109" id="1198109">CVE-2014-8171 kernel: memcg: OOM handling DoS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205258" id="1205258">Busy loop in recv(MSG_PEEK|MSG_WAITALL)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206198" id="1206198">Intel 9-series PCH chipset ACS quirks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209367" id="1209367">CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214030" id="1214030">CVE-2015-3339 kernel: race condition between chown() and execve()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218454" id="1218454">CVE-2015-6526 kernel: perf on ppc64 can loop forever getting userlevel stacktraces</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218879" id="1218879">CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1233284" id="1233284">RHEL7: repeated NFS4 server untainted kernel panic with RIP locks_in_grace called from nfsd4_process_open2, xfs used as export for diskless NFS clients</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243998" id="1243998">CVE-2015-7837 kernel: securelevel disabled after kexec [rhel-7.2]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1249107" id="1249107">[targetcli] cannot discover iSCSI target with IPv6</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1251331" id="1251331">Lenovo W541 Xorg freezes when mini display port cable is plugged in - 3.10.0-267.el7 WARNING: at drivers/gpu/drm/drm_dp_mst_topology.c:1272 process_single_tx_qlock+0x4b6/0x540 [drm_kms_helper]()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1257528" id="1257528">CVE-2015-5283 kernel: Creating multiple sockets when SCTP module isn't loaded leads to kernel panic</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1268270" id="1268270">CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272472" id="1272472">CVE-2015-7837 kernel: securelevel disabled after kexec</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152009"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152005"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152031"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152013"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152023"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152015"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152007"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152021"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152025"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152011"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152027"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152033"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152029"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152019"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-327.el7" test_ref="oval:com.redhat.rhsa:tst:20152152017"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152154" version="601">
<metadata>
<title>RHSA-2015:2154: krb5 security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2154-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2154.html" source="RHSA"/>
<reference ref_id="CVE-2014-5355" ref_url="https://access.redhat.com/security/cve/CVE-2014-5355" source="CVE"/>
<reference ref_id="CVE-2015-2694" ref_url="https://access.redhat.com/security/cve/CVE-2015-2694" source="CVE"/>
<description>Kerberos is a network authentication system, which can improve the security
of your network by eliminating the insecure practice of sending passwords
over the network in unencrypted form. It allows clients and servers to
authenticate to each other with the help of a trusted third party, the
Kerberos key distribution center (KDC).
It was found that the krb5_read_message() function of MIT Kerberos did not
correctly sanitize input, and could create invalid krb5_data objects.
A remote, unauthenticated attacker could use this flaw to crash a Kerberos
child process via a specially crafted request. (CVE-2014-5355)
A flaw was found in the OTP kdcpreauth module of MIT kerberos.
An unauthenticated remote attacker could use this flaw to bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key. This ciphertext could be used
to conduct an off-line dictionary attack against the user's password.
(CVE-2015-2694)
The krb5 packages have been upgraded to upstream version 1.13.2, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1203889)
Notably, this update fixes the following bugs:
* Previously, the RADIUS support (libkrad) in krb5 was sending krb5
authentication for Transmission Control Protocol (TCP) transports multiple
times, accidentally using a code path intended to be used only for
unreliable transport types, for example User Datagram Protocol (UDP)
transports. A patch that fixes the problem by disabling manual retries for
reliable transports, such as TCP, has been applied, and the correct code
path is now used in this situation. (BZ#1251586)
* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver
systems sometimes failed. The SAP NetWeaver developer trace displayed the
following error message:
No credentials were supplied, or the credentials were
unavailable or inaccessible
Unable to establish the security context
Querying SSO credential lifetime has been modified to trigger credential
acquisition, thus preventing the error from occurring. Now, the user can
successfully use Kerberos SSO for accessing SAP NetWeaver systems.
(BZ#1252454)
All krb5 users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-05"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-5355">CVE-2014-5355</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2694">CVE-2015-2694</cve>
<bugzilla href="https://bugzilla.redhat.com/1156144" id="1156144">krb5 upstream test t_kdb.py failure</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163402" id="1163402">kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1164304" id="1164304">Upstream unit tests loads the installed shared libraries instead the ones from the build</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185770" id="1185770">Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1193939" id="1193939">CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and others</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203889" id="1203889">RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ...</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1216133" id="1216133">CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222903" id="1222903">[SELinux] AVC denials may appear when kadmind starts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1247608" id="1247608">[RFE] Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ("A Generalized Framework for Kerberos Pre-Authentication")</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1247751" id="1247751">krb5-config returns wrong -specs path</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1247761" id="1247761">RFE: Minor krb5 spec file cleanup and sync with recent Fedora 22/23 changes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1250154" id="1250154">[s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1251586" id="1251586">KDC sends multiple requests to ipa-otpd for the same authentication</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1259846" id="1259846">KDC does not return proper client principal for client referrals</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="krb5 is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154017"/>
<criterion comment="krb5 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439006"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-devel is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154013"/>
<criterion comment="krb5-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439010"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-libs is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154005"/>
<criterion comment="krb5-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439018"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-pkinit is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154011"/>
<criterion comment="krb5-pkinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439008"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-server is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154007"/>
<criterion comment="krb5-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439012"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-server-ldap is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154009"/>
<criterion comment="krb5-server-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439016"/>
</criteria>
<criteria operator="AND">
<criterion comment="krb5-workstation is earlier than 0:1.13.2-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152154015"/>
<criterion comment="krb5-workstation is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150439014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152155" version="601">
<metadata>
<title>RHSA-2015:2155: file security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2155-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2155.html" source="RHSA"/>
<reference ref_id="CVE-2014-0207" ref_url="https://access.redhat.com/security/cve/CVE-2014-0207" source="CVE"/>
<reference ref_id="CVE-2014-0237" ref_url="https://access.redhat.com/security/cve/CVE-2014-0237" source="CVE"/>
<reference ref_id="CVE-2014-0238" ref_url="https://access.redhat.com/security/cve/CVE-2014-0238" source="CVE"/>
<reference ref_id="CVE-2014-3478" ref_url="https://access.redhat.com/security/cve/CVE-2014-3478" source="CVE"/>
<reference ref_id="CVE-2014-3479" ref_url="https://access.redhat.com/security/cve/CVE-2014-3479" source="CVE"/>
<reference ref_id="CVE-2014-3480" ref_url="https://access.redhat.com/security/cve/CVE-2014-3480" source="CVE"/>
<reference ref_id="CVE-2014-3487" ref_url="https://access.redhat.com/security/cve/CVE-2014-3487" source="CVE"/>
<reference ref_id="CVE-2014-3538" ref_url="https://access.redhat.com/security/cve/CVE-2014-3538" source="CVE"/>
<reference ref_id="CVE-2014-3587" ref_url="https://access.redhat.com/security/cve/CVE-2014-3587" source="CVE"/>
<reference ref_id="CVE-2014-3710" ref_url="https://access.redhat.com/security/cve/CVE-2014-3710" source="CVE"/>
<reference ref_id="CVE-2014-8116" ref_url="https://access.redhat.com/security/cve/CVE-2014-8116" source="CVE"/>
<reference ref_id="CVE-2014-8117" ref_url="https://access.redhat.com/security/cve/CVE-2014-8117" source="CVE"/>
<reference ref_id="CVE-2014-9652" ref_url="https://access.redhat.com/security/cve/CVE-2014-9652" source="CVE"/>
<reference ref_id="CVE-2014-9653" ref_url="https://access.redhat.com/security/cve/CVE-2014-9653" source="CVE"/>
<description>The file command is used to identify a particular file according to the
type of data the file contains. It can identify many different file
types, including Executable and Linkable Format (ELF) binary files,
system libraries, RPM packages, and different graphics formats.
Multiple denial of service flaws were found in the way file parsed certain
Composite Document Format (CDF) files. A remote attacker could use either
of these flaws to crash file, or an application using file, via a specially
crafted CDF file. (CVE-2014-0207, CVE-2014-0237, CVE-2014-0238,
CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3587)
Two flaws were found in the way file processed certain Pascal strings. A
remote attacker could cause file to crash if it was used to identify the
type of the attacker-supplied file. (CVE-2014-3478, CVE-2014-9652)
Multiple flaws were found in the file regular expression rules for
detecting various files. A remote attacker could use these flaws to cause
file to consume an excessive amount of CPU. (CVE-2014-3538)
Multiple flaws were found in the way file parsed Executable and Linkable
Format (ELF) files. A remote attacker could use these flaws to cause file
to crash, disclose portions of its memory, or consume an excessive amount
of system resources. (CVE-2014-3710, CVE-2014-8116, CVE-2014-8117,
CVE-2014-9653)
Red Hat would like to thank Thomas Jarosch of Intra2net AG for reporting
the CVE-2014-8116 and CVE-2014-8117 issues. The CVE-2014-0207,
CVE-2014-0237, CVE-2014-0238, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480,
CVE-2014-3487, CVE-2014-3710 issues were discovered by Francisco Alonso of
Red Hat Product Security; the CVE-2014-3538 issue was discovered by Jan
Kaluža of the Red Hat Web Stack Team
The file packages have been updated to ensure correct operation on Power
little endian and ARM 64-bit hardware architectures. (BZ#1224667,
BZ#1224668, BZ#1157850, BZ#1067688).
All file users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-11"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0207">CVE-2014-0207</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0237">CVE-2014-0237</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-0238">CVE-2014-0238</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3478">CVE-2014-3478</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3479">CVE-2014-3479</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3480">CVE-2014-3480</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3487">CVE-2014-3487</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3538">CVE-2014-3538</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3587">CVE-2014-3587</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3710">CVE-2014-3710</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8116">CVE-2014-8116</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8117">CVE-2014-8117</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9652">CVE-2014-9652</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9653">CVE-2014-9653</cve>
<bugzilla href="https://bugzilla.redhat.com/1064167" id="1064167">back out patch to MAXDESC</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1091842" id="1091842">CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1094648" id="1094648">file reports JPEG image as 'Minix filesystem'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098155" id="1098155">CVE-2014-0238 file: CDF property info parsing nelements infinite loop</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098193" id="1098193">CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098222" id="1098222">CVE-2014-3538 file: unrestricted regular expression matching</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104858" id="1104858">CVE-2014-3480 file: cdf_count_chain insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104863" id="1104863">CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1104869" id="1104869">CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1107544" id="1107544">CVE-2014-3487 file: cdf_read_property_info insufficient boundary check</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1128587" id="1128587">CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1155071" id="1155071">CVE-2014-3710 file: out-of-bounds read in elf note headers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1157850" id="1157850">File command does not recognize kernel images on ppc64le</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161911" id="1161911">file command does not display "from" field correctly when run on 32 bit ppc core file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161912" id="1161912">too many spaces ...</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1171580" id="1171580">CVE-2014-8116 file: multiple denial of service issues (resource consumption)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174606" id="1174606">CVE-2014-8117 file: denial of service issue (resource consumption)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188599" id="1188599">CVE-2014-9652 file: out of bounds read in mconvert()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1190116" id="1190116">CVE-2014-9653 file: malformed elf file causes access to uninitialized memory</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1224667" id="1224667">aarch64: "file" fails to get the whole information of the new swap partition</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1224668" id="1224668">ppc64le: "file" fails to get the whole information of the new swap partition</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1255396" id="1255396">BuildID[sha1] sum is architecture dependent</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="file is earlier than 0:5.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152155011"/>
<criterion comment="file is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152155012"/>
</criteria>
<criteria operator="AND">
<criterion comment="file-devel is earlier than 0:5.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152155005"/>
<criterion comment="file-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152155006"/>
</criteria>
<criteria operator="AND">
<criterion comment="file-libs is earlier than 0:5.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152155007"/>
<criterion comment="file-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152155008"/>
</criteria>
<criteria operator="AND">
<criterion comment="file-static is earlier than 0:5.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152155009"/>
<criterion comment="file-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152155010"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-magic is earlier than 0:5.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152155013"/>
<criterion comment="python-magic is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152155014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152159" version="601">
<metadata>
<title>RHSA-2015:2159: curl security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2159-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2159.html" source="RHSA"/>
<reference ref_id="CVE-2014-3613" ref_url="https://access.redhat.com/security/cve/CVE-2014-3613" source="CVE"/>
<reference ref_id="CVE-2014-3707" ref_url="https://access.redhat.com/security/cve/CVE-2014-3707" source="CVE"/>
<reference ref_id="CVE-2014-8150" ref_url="https://access.redhat.com/security/cve/CVE-2014-8150" source="CVE"/>
<reference ref_id="CVE-2015-3143" ref_url="https://access.redhat.com/security/cve/CVE-2015-3143" source="CVE"/>
<reference ref_id="CVE-2015-3148" ref_url="https://access.redhat.com/security/cve/CVE-2015-3148" source="CVE"/>
<description>The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.
It was found that the libcurl library did not correctly handle partial
literal IP addresses when parsing received HTTP cookies. An attacker able
to trick a user into connecting to a malicious server could use this flaw
to set the user's cookie to a crafted domain, making other cookie-related
issues easier to exploit. (CVE-2014-3613)
A flaw was found in the way the libcurl library performed the duplication
of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS
option for a handle, using the handle's duplicate could cause the
application to crash or disclose a portion of its memory. (CVE-2014-3707)
It was discovered that the libcurl library failed to properly handle URLs
with embedded end-of-line characters. An attacker able to make an
application using libcurl access a specially crafted URL via an HTTP proxy
could use this flaw to inject additional headers to the request or
construct additional requests. (CVE-2014-8150)
It was discovered that libcurl implemented aspects of the NTLM and
Negotatiate authentication incorrectly. If an application uses libcurl
and the affected mechanisms in a specifc way, certain requests to a
previously NTLM-authenticated server could appears as sent by the wrong
authenticated user. Additionally, the initial set of credentials for HTTP
Negotiate-authenticated requests could be reused in subsequent requests,
although a different set of credentials was specified. (CVE-2015-3143,
CVE-2015-3148)
Red Hat would like to thank the cURL project for reporting these issues.
Bug fixes:
* An out-of-protocol fallback to SSL 3.0 was available with libcurl.
Attackers could abuse the fallback to force downgrade of the SSL version.
The fallback has been removed from libcurl. Users requiring this
functionality can explicitly enable SSL 3.0 through the libcurl API.
(BZ#1154060)
* TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can
explicitly disable them through the libcurl API. (BZ#1170339)
* FTP operations such as downloading files took a significantly long time
to complete. Now, the FTP implementation in libcurl correctly sets blocking
direction and estimated timeout for connections, resulting in faster FTP
transfers. (BZ#1218272)
Enhancements:
* With the updated packages, it is possible to explicitly enable or disable
new Advanced Encryption Standard (AES) cipher suites to be used for the TLS
protocol. (BZ#1066065)
* The libcurl library did not implement a non-blocking SSL handshake, which
negatively affected performance of applications based on the libcurl multi
API. The non-blocking SSL handshake has been implemented in libcurl, and
the libcurl multi API now immediately returns the control back to the
application whenever it cannot read or write data from or to the underlying
network socket. (BZ#1091429)
* The libcurl library used an unnecessarily long blocking delay for actions
with no active file descriptors, even for short operations. Some actions,
such as resolving a host name using /etc/hosts, took a long time to
complete. The blocking code in libcurl has been modified so that the
initial delay is short and gradually increases until an event occurs.
(BZ#1130239)
All curl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-07"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3613">CVE-2014-3613</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3707">CVE-2014-3707</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8150">CVE-2014-8150</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3143">CVE-2015-3143</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3148">CVE-2015-3148</cve>
<bugzilla href="https://bugzilla.redhat.com/1130239" id="1130239">Difference in curl performance between RHEL6 and RHEL7</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1136154" id="1136154">CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1154060" id="1154060">curl: Disable out-of-protocol fallback to SSL 3.0</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1154941" id="1154941">CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161182" id="1161182">Response headers added by proxy servers missing in CURLINFO_HEADER_SIZE</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166264" id="1166264">NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth [RHEL-7]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170339" id="1170339">use the default min/max TLS version provided by NSS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1178692" id="1178692">CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213306" id="1213306">CVE-2015-3143 curl: re-using authenticated connection when unauthenticated</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213351" id="1213351">CVE-2015-3148 curl: Negotiate not treated as connection-oriented</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218272" id="1218272">Performance problem with libcurl and FTP on RHEL7.X</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="curl is earlier than 0:7.29.0-25.el7" test_ref="oval:com.redhat.rhsa:tst:20152159009"/>
<criterion comment="curl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152159010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcurl is earlier than 0:7.29.0-25.el7" test_ref="oval:com.redhat.rhsa:tst:20152159007"/>
<criterion comment="libcurl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152159008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcurl-devel is earlier than 0:7.29.0-25.el7" test_ref="oval:com.redhat.rhsa:tst:20152159005"/>
<criterion comment="libcurl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152159006"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152172" version="601">
<metadata>
<title>RHSA-2015:2172: glibc security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2172-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2172.html" source="RHSA"/>
<reference ref_id="CVE-2015-5277" ref_url="https://access.redhat.com/security/cve/CVE-2015-5277" source="CVE"/>
<description>The glibc packages provide the standard C libraries (libc), POSIX thread
libraries (libpthread), standard math libraries (libm), and the Name Server
Caching Daemon (nscd) used by multiple programs on the system. Without
these libraries, the Linux system cannot function correctly.
It was discovered that the nss_files backend for the Name Service Switch in
glibc would return incorrect data to applications or corrupt the heap
(depending on adjacent heap contents) in certain cases. A local attacker
could potentially use this flaw to escalate their privileges.
(CVE-2015-5277)
This issue was discovered by Sumit Bose and Lukáš Slebodník of Red Hat.
All glibc users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-19"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5277">CVE-2015-5277</cve>
<bugzilla href="https://bugzilla.redhat.com/1262914" id="1262914">CVE-2015-5277 glibc: data corruption while reading the NSS files database</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172011"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172017"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172015"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172005"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172009"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172013"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-106.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152172007"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152180" version="601">
<metadata>
<title>RHSA-2015:2180: rubygem-bundler and rubygem-thor security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2180-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2180.html" source="RHSA"/>
<reference ref_id="CVE-2013-0334" ref_url="https://access.redhat.com/security/cve/CVE-2013-0334" source="CVE"/>
<description>Bundler manages an application's dependencies through its entire life,
across many machines, systematically and repeatably. Thor is a toolkit for
building powerful command-line interfaces.
A flaw was found in the way Bundler handled gems available from multiple
sources. An attacker with access to one of the sources could create a
malicious gem with the same name, which they could then use to trick a user
into installing, potentially resulting in execution of code from the
attacker-supplied malicious gem. (CVE-2013-0334)
Bundler has been upgraded to upstream version 1.7.8 and Thor has been
upgraded to upstream version 1.19.1, both of which provide a number of bug
fixes and enhancements over the previous versions. (BZ#1194243, BZ#1209921)
All rubygem-bundler and rubygem-thor users are advised to upgrade to these
updated packages, which correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-09"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-0334">CVE-2013-0334</cve>
<bugzilla href="https://bugzilla.redhat.com/1146335" id="1146335">CVE-2013-0334 rubygem-bundler: 'bundle install' may install a gem from a source other than expected</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163076" id="1163076">Bundler can't see its dependencies after Bundler.setup [rhel-7]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1194243" id="1194243">Update Bundler to the latest release</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209921" id="1209921">Update Thor to the latest release</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="rubygem-thor is earlier than 0:0.19.1-1.el7" test_ref="oval:com.redhat.rhsa:tst:20152180005"/>
<criterion comment="rubygem-thor is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152180006"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-thor-doc is earlier than 0:0.19.1-1.el7" test_ref="oval:com.redhat.rhsa:tst:20152180007"/>
<criterion comment="rubygem-thor-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152180008"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-bundler is earlier than 0:1.7.8-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152180009"/>
<criterion comment="rubygem-bundler is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152180010"/>
</criteria>
<criteria operator="AND">
<criterion comment="rubygem-bundler-doc is earlier than 0:1.7.8-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152180011"/>
<criterion comment="rubygem-bundler-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152180012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152184" version="601">
<metadata>
<title>RHSA-2015:2184: realmd security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2184-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2184.html" source="RHSA"/>
<reference ref_id="CVE-2015-2704" ref_url="https://access.redhat.com/security/cve/CVE-2015-2704" source="CVE"/>
<description>The realmd DBus system service manages discovery of and enrollment in
realms and domains, such as Active Directory or Identity Management (IdM).
The realmd service detects available domains, automatically configures the
system, and joins it as an account to a domain.
A flaw was found in the way realmd parsed certain input when writing
configuration into the sssd.conf or smb.conf file. A remote attacker could
use this flaw to inject arbitrary configurations into these files via a
newline character in an LDAP response. (CVE-2015-2704)
It was found that the realm client would try to automatically join an
active directory domain without authentication, which could potentially
lead to privilege escalation within a specified domain. (BZ#1205751)
The realmd packages have been upgraded to upstream version 0.16.1, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1174911)
This update also fixes the following bugs:
* Joining a Red Hat Enterprise Linux machine to a domain using the realm
utility creates /home/domainname/[username]/ directories for domain users.
Previously, SELinux labeled the domain users' directories incorrectly. As a
consequence, the domain users sometimes experienced problems with SELinux
policy. This update modifies the realmd service default behavior so that
the domain users' directories are compatible with the standard SELinux
policy. (BZ#1241832)
* Previously, the realm utility was unable to join or discover domains with
domain names containing underscore (_). The realmd service has been
modified to process underscores in domain names correctly, which fixes the
described bug. (BZ#1243771)
In addition, this update adds the following enhancement:
* The realmd utility now allows the user to disable automatic ID mapping
from the command line. To disable the mapping, pass the
"--automatic-id-mapping=no" option to the realmd utility. (BZ#1230941)
All realmd users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-14"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2704">CVE-2015-2704</cve>
<bugzilla href="https://bugzilla.redhat.com/1142191" id="1142191">realm command crashes when no input password</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1174911" id="1174911">Rebase to 0.16.x</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205751" id="1205751">realmd: unauthenticated Active Directory join</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205752" id="1205752">CVE-2015-2704 realmd: untrusted data is used when configuring sssd.conf and/or smb.conf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1241832" id="1241832">Wrong SELinux label on domain users home folders</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243771" id="1243771">realm fails to join domain names with underscore in name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1271618" id="1271618">net ads keytab add fails on system joined to AD with RHEL 7.2 realm join</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="realmd is earlier than 0:0.16.1-5.el7" test_ref="oval:com.redhat.rhsa:tst:20152184005"/>
<criterion comment="realmd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152184006"/>
</criteria>
<criteria operator="AND">
<criterion comment="realmd-devel-docs is earlier than 0:0.16.1-5.el7" test_ref="oval:com.redhat.rhsa:tst:20152184007"/>
<criterion comment="realmd-devel-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152184008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152199" version="601">
<metadata>
<title>RHSA-2015:2199: glibc security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2199-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2199.html" source="RHSA"/>
<reference ref_id="CVE-2013-7423" ref_url="https://access.redhat.com/security/cve/CVE-2013-7423" source="CVE"/>
<reference ref_id="CVE-2015-1472" ref_url="https://access.redhat.com/security/cve/CVE-2015-1472" source="CVE"/>
<reference ref_id="CVE-2015-1473" ref_url="https://access.redhat.com/security/cve/CVE-2015-1473" source="CVE"/>
<reference ref_id="CVE-2015-1781" ref_url="https://access.redhat.com/security/cve/CVE-2015-1781" source="CVE"/>
<description>The glibc packages provide the standard C libraries (libc), POSIX thread
libraries (libpthread), standard math libraries (libm), and the Name Server
Caching Daemon (nscd) used by multiple programs on the system.
Without these libraries, the Linux system cannot function correctly.
It was discovered that, under certain circumstances, glibc's getaddrinfo()
function would send DNS queries to random file descriptors. An attacker
could potentially use this flaw to send DNS queries to unintended
recipients, resulting in information disclosure or data loss due to the
application encountering corrupted data. (CVE-2013-7423)
A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
other related functions computed the size of a buffer when passed a
misaligned buffer as input. An attacker able to make an application call
any of these functions with a misaligned buffer could use this flaw to
crash the application or, potentially, execute arbitrary code with the
permissions of the user running the application. (CVE-2015-1781)
A heap-based buffer overflow flaw and a stack overflow flaw were found in
glibc's swscanf() function. An attacker able to make an application call
the swscanf() function could use these flaws to crash that application or,
potentially, execute arbitrary code with the permissions of the user
running the application. (CVE-2015-1472, CVE-2015-1473)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in glibc's _IO_wstr_overflow() function. An attacker able to make an
application call this function could use this flaw to crash that
application or, potentially, execute arbitrary code with the permissions of
the user running the application. (BZ#1195762)
A flaw was found in the way glibc's fnmatch() function processed certain
malformed patterns. An attacker able to make an application call this
function could use this flaw to crash that application. (BZ#1197730)
The CVE-2015-1781 issue was discovered by Arjun Shankar of Red Hat.
These updated glibc packages also include numerous bug fixes and one
enhancement. Space precludes documenting all of these changes in this
advisory. For information on the most significant of these changes, users
are directed to the following article on the Red Hat Customer Portal:
https://access.redhat.com/articles/2050743
All glibc users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-04-29"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-7423">CVE-2013-7423</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1472">CVE-2015-1472</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1473">CVE-2015-1473</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1781">CVE-2015-1781</cve>
<bugzilla href="https://bugzilla.redhat.com/1064066" id="1064066">Test suite failure: test-ldouble</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1098042" id="1098042">getaddrinfo return EAI_NONAME instead of EAI_AGAIN in case the DNS query times out</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1144133" id="1144133">calloc in dl-reloc.c computes size incorrectly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187109" id="1187109">CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188235" id="1188235">CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195762" id="1195762">glibc: _IO_wstr_overflow integer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1197730" id="1197730">glibc: potential denial of service in internal_fnmatch()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199525" id="1199525">CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207032" id="1207032">glibc deadlock when printing backtrace from memory allocator</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209105" id="1209105">CVE-2015-1473 glibc: Stack-overflow in glibc swscanf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1219891" id="1219891">Missing define for TCP_USER_TIMEOUT in netinet/tcp.h</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1225490" id="1225490">[RFE] Unconditionally enable SDT probes in glibc builds.</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199005"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199013"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199009"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199015"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199017"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199007"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-105.el7" test_ref="oval:com.redhat.rhsa:tst:20152199011"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152231" version="601">
<metadata>
<title>RHSA-2015:2231: ntp security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2231-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2231.html" source="RHSA"/>
<reference ref_id="CVE-2014-9297" ref_url="https://access.redhat.com/security/cve/CVE-2014-9297" source="CVE"/>
<reference ref_id="CVE-2014-9298" ref_url="https://access.redhat.com/security/cve/CVE-2014-9298" source="CVE"/>
<reference ref_id="CVE-2014-9750" ref_url="https://access.redhat.com/security/cve/CVE-2014-9750" source="CVE"/>
<reference ref_id="CVE-2014-9751" ref_url="https://access.redhat.com/security/cve/CVE-2014-9751" source="CVE"/>
<reference ref_id="CVE-2015-1798" ref_url="https://access.redhat.com/security/cve/CVE-2015-1798" source="CVE"/>
<reference ref_id="CVE-2015-1799" ref_url="https://access.redhat.com/security/cve/CVE-2015-1799" source="CVE"/>
<reference ref_id="CVE-2015-3405" ref_url="https://access.redhat.com/security/cve/CVE-2015-3405" source="CVE"/>
<description>The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298, CVE-2014-9751)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. When an NTP client decrypted a secret received from an NTP
server, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750)
It was found that ntpd did not check whether a Message Authentication Code
(MAC) was present in a received packet when ntpd was configured to use
symmetric cryptographic keys. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)
The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvár of Red Hat.
Bug fixes:
* The ntpd service truncated symmetric keys specified in the key file to 20
bytes. As a consequence, it was impossible to configure NTP authentication
to work with peers that use longer keys. With this update, the maximum key
length has been changed to 32 bytes. (BZ#1191111)
* The ntpd service could previously join multicast groups only when
starting, which caused problems if ntpd was started during system boot
before network was configured. With this update, ntpd attempts to join
multicast groups every time network configuration is changed. (BZ#1207014)
* Previously, the ntp-keygen utility used the exponent of 3 when generating
RSA keys. Consequently, generating RSA keys failed when FIPS mode was
enabled. With this update, ntp-keygen has been modified to use the exponent
of 65537, and generating keys in FIPS mode now works as expected.
(BZ#1191116)
* The ntpd service dropped incoming NTP packets if their source port was
lower than 123 (the NTP port). With this update, ntpd no longer checks the
source port number, and clients behind NAT are now able to correctly
synchronize with the server. (BZ#1171640)
Enhancements:
* This update adds support for configurable Differentiated Services Code
Points (DSCP) in NTP packets, simplifying configuration in large networks
where different NTP implementations or versions are using different DSCP
values. (BZ#1202828)
* This update adds the ability to configure separate clock stepping
thresholds for each direction (backward and forward). Use the "stepback"
and "stepfwd" options to configure each threshold. (BZ#1193154)
* Support for nanosecond resolution has been added to the Structural
Health Monitoring (SHM) reference clock. Prior to this update, when a
Precision Time Protocol (PTP) hardware clock was used as a time source to
synchronize the system clock, the accuracy of the synchronization was
limited due to the microsecond resolution of the SHM protocol. The
nanosecond extension in the SHM protocol now allows sub-microsecond
synchronization of the system clock. (BZ#1117702)
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-14"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9297">CVE-2014-9297</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9298">CVE-2014-9298</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9750">CVE-2014-9750</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9751">CVE-2014-9751</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1798">CVE-2015-1798</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1799">CVE-2015-1799</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3405">CVE-2015-3405</cve>
<bugzilla href="https://bugzilla.redhat.com/1117702" id="1117702">SHM refclock doesn't support nanosecond resolution</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1122012" id="1122012">SHM refclock allows only two units with owner-only access</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1171640" id="1171640">NTP drops requests when sourceport is below 123</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180721" id="1180721">ntp: mreadvar command crash in ntpq</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184572" id="1184572">CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184573" id="1184573">CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191108" id="1191108">ntpd should warn when monitoring facility can't be disabled due to restrict configuration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191122" id="1191122">ntpd -x steps clock on leap second</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1193154" id="1193154">permit differential fwd/back threshold for step vs. slew [PATCH]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199430" id="1199430">CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199435" id="1199435">CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1210324" id="1210324">CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152231005"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152231011"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152231013"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152231009"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
<criteria operator="AND">
<criterion comment="sntp is earlier than 0:4.2.6p5-22.el7" test_ref="oval:com.redhat.rhsa:tst:20152231007"/>
<criterion comment="sntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152233" version="601">
<metadata>
<title>RHSA-2015:2233: tigervnc security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2233-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2233.html" source="RHSA"/>
<reference ref_id="CVE-2014-8240" ref_url="https://access.redhat.com/security/cve/CVE-2014-8240" source="CVE"/>
<reference ref_id="CVE-2014-8241" ref_url="https://access.redhat.com/security/cve/CVE-2014-8241" source="CVE"/>
<description>Virtual Network Computing (VNC) is a remote display system which allows
users to view a computing desktop environment not only on the machine where
it is running, but from anywhere on the Internet and from a wide variety of
machine architectures. TigerVNC is a suite of VNC servers and clients.
The tigervnc packages contain a client which allows users to connect to
other desktops running a VNC server.
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way TigerVNC handled screen sizes. A malicious VNC server
could use this flaw to cause a client to crash or, potentially, execute
arbitrary code on the client. (CVE-2014-8240)
A NULL pointer dereference flaw was found in TigerVNC's XRegion.
A malicious VNC server could use this flaw to cause a client to crash.
(CVE-2014-8241)
The tigervnc packages have been upgraded to upstream version 1.3.1, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1199453)
This update also fixes the following bug:
* The position of the mouse cursor in the VNC session was not correctly
communicated to the VNC viewer, resulting in cursor misplacement.
The method of displaying the remote cursor has been changed, and cursor
movements on the VNC server are now accurately reflected on the VNC client.
(BZ#1100661)
All tigervnc users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-15"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8240">CVE-2014-8240</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8241">CVE-2014-8241</cve>
<bugzilla href="https://bugzilla.redhat.com/1072733" id="1072733">vnc black screen and error 'XRequest.130: BadValue (integer parameter out of range for operation) 0x400'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1119640" id="1119640">VNC-EXTENSION missed on Xorg server regeneration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151307" id="1151307">CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151312" id="1151312">CVE-2014-8241 tigervnc: NULL pointer dereference flaw in XRegion</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1162722" id="1162722">tigervnc-server has no IPV6 support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1181287" id="1181287">gnome 3 session inside vncserver changes initial resolution instead of using what was specified from "-geometry</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1194898" id="1194898">Rebuild tigervnc against rebased xserver in 7.2</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1195266" id="1195266">The display number is not required in the file name for VNC</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199437" id="1199437">Enable Xinerama extension</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199453" id="1199453">Re-base to tigervnc-1.3.x</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="tigervnc is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233007"/>
<criterion comment="tigervnc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233008"/>
</criteria>
<criteria operator="AND">
<criterion comment="tigervnc-icons is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233013"/>
<criterion comment="tigervnc-icons is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233014"/>
</criteria>
<criteria operator="AND">
<criterion comment="tigervnc-license is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233015"/>
<criterion comment="tigervnc-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233016"/>
</criteria>
<criteria operator="AND">
<criterion comment="tigervnc-server is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233005"/>
<criterion comment="tigervnc-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233006"/>
</criteria>
<criteria operator="AND">
<criterion comment="tigervnc-server-applet is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233017"/>
<criterion comment="tigervnc-server-applet is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233018"/>
</criteria>
<criteria operator="AND">
<criterion comment="tigervnc-server-minimal is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233009"/>
<criterion comment="tigervnc-server-minimal is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233010"/>
</criteria>
<criteria operator="AND">
<criterion comment="tigervnc-server-module is earlier than 0:1.3.1-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152233011"/>
<criterion comment="tigervnc-server-module is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152233012"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152237" version="601">
<metadata>
<title>RHSA-2015:2237: rest security update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2237-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2237.html" source="RHSA"/>
<reference ref_id="CVE-2015-2675" ref_url="https://access.redhat.com/security/cve/CVE-2015-2675" source="CVE"/>
<description>The rest library was designed to make it easier to access web services that
claim to be RESTful. A RESTful service should have URLs that represent
remote objects, which methods can then be called on.
It was found that the OAuth implementation in librest, a helper library for
RESTful services, incorrectly truncated the pointer returned by the
rest_proxy_call_get_url call. An attacker could use this flaw to crash an
application using the librest library. (CVE-2015-2675)
All users of rest are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, all applications using librest must be restarted for the update to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-18"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2675">CVE-2015-2675</cve>
<bugzilla href="https://bugzilla.redhat.com/1183982" id="1183982">Memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199049" id="1199049">CVE-2015-2675 rest: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="rest is earlier than 0:0.7.92-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152237007"/>
<criterion comment="rest is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152237008"/>
</criteria>
<criteria operator="AND">
<criterion comment="rest-devel is earlier than 0:0.7.92-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152237005"/>
<criterion comment="rest-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152237006"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152241" version="601">
<metadata>
<title>RHSA-2015:2241: chrony security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2241-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2241.html" source="RHSA"/>
<reference ref_id="CVE-2015-1821" ref_url="https://access.redhat.com/security/cve/CVE-2015-1821" source="CVE"/>
<reference ref_id="CVE-2015-1822" ref_url="https://access.redhat.com/security/cve/CVE-2015-1822" source="CVE"/>
<reference ref_id="CVE-2015-1853" ref_url="https://access.redhat.com/security/cve/CVE-2015-1853" source="CVE"/>
<description>The chrony suite, chronyd and chronyc, is an advanced implementation of the
Network Time Protocol (NTP), specially designed to support systems with
intermittent connections. It can synchronize the system clock with NTP
servers, hardware reference clocks, and manual input. It can also operate
as an NTPv4 (RFC 5905) server or peer to provide a time service to other
computers in the network.
An out-of-bounds write flaw was found in the way chrony stored certain
addresses when configuring NTP or cmdmon access. An attacker that has the
command key and is allowed to access cmdmon (only localhost is allowed by
default) could use this flaw to crash chronyd or, possibly, execute
arbitrary code with the privileges of the chronyd process. (CVE-2015-1821)
An uninitialized pointer use flaw was found when allocating memory to save
unacknowledged replies to authenticated command requests. An attacker that
has the command key and is allowed to access cmdmon (only localhost is
allowed by default) could use this flaw to crash chronyd or, possibly,
execute arbitrary code with the privileges of the chronyd process.
(CVE-2015-1822)
A denial of service flaw was found in the way chrony hosts that were
peering with each other authenticated themselves before updating their
internal state variables. An attacker could send packets to one peer host,
which could cascade to other peers, and stop the synchronization process
among the reached peers. (CVE-2015-1853)
These issues were discovered by Miroslav Lichvár of Red Hat.
The chrony packages have been upgraded to upstream version 2.1.1, which
provides a number of bug fixes and enhancements over the previous version.
Notable enhancements include:
* Updated to NTP version 4 (RFC 5905)
* Added pool directive to specify pool of NTP servers
* Added leapsecmode directive to select how to correct clock for leap
second
* Added smoothtime directive to smooth served time and enable leap smear
* Added asynchronous name resolving with POSIX threads
* Ready for year 2036 (next NTP era)
* Improved clock control
* Networking code reworked to open separate client sockets for each NTP
server
(BZ#1117882)
This update also fixes the following bug:
* The chronyd service previously assumed that network interfaces specified
with the "bindaddress" directive were ready when the service was started.
This could cause chronyd to fail to bind an NTP server socket to the
interface if the interface was not ready. With this update, chronyd uses
the IP_FREEBIND socket option, enabling it to bind to an interface later,
not only when the service starts. (BZ#1169353)
In addition, this update adds the following enhancement:
* The chronyd service now supports four modes of handling leap seconds,
configured using the "leapsecmode" option. The clock can be either stepped
by the kernel (the default "system" mode), stepped by chronyd ("step"
mode), slowly adjusted by slewing ("slew" mode), or the leap second can be
ignored and corrected later in normal operation ("ignore" mode). If you
select slewing, the correction will always start at 00:00:00 UTC and will
be applied at a rate specified in the "maxslewrate" option. (BZ#1206504)
All chrony users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-19"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1821">CVE-2015-1821</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1822">CVE-2015-1822</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1853">CVE-2015-1853</cve>
<bugzilla href="https://bugzilla.redhat.com/1117882" id="1117882">rebase chrony to 2.1.1</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1169353" id="1169353">Chronyd not starting with bindaddress option set to bond interface</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206504" id="1206504">RFE: option to correct clock for leap second by slewing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209568" id="1209568">RFE: add option for leap smear</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209572" id="1209572">CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209631" id="1209631">CVE-2015-1821 chrony: Heap out of bound write in address filter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209632" id="1209632">CVE-2015-1822 chrony: uninitialized pointer in cmdmon reply slots</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211600" id="1211600">RFE: add support for SRV _ntp._udp resolution</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1219492" id="1219492">Use iburst option for NTP servers from DHCP</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="chrony is earlier than 0:2.1.1-1.el7" test_ref="oval:com.redhat.rhsa:tst:20152241005"/>
<criterion comment="chrony is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152241006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152248" version="601">
<metadata>
<title>RHSA-2015:2248: netcf security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2248-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2248.html" source="RHSA"/>
<reference ref_id="CVE-2014-8119" ref_url="https://access.redhat.com/security/cve/CVE-2014-8119" source="CVE"/>
<description>The netcf packages contain a library for modifying the network
configuration of a system. Network configuration is expressed in a
platform-independent XML format, which netcf translates into changes to the
system's "native" network configuration files.
A denial of service flaw was found in netcf. A specially crafted interface
name could cause an application using netcf (such as the libvirt daemon) to
crash. (CVE-2014-8119)
This issue was discovered by Hao Liu of Red Hat.
The netcf packages have been upgraded to upstream version 0.2.8, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1206680)
Users of netcf are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-05-20"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8119">CVE-2014-8119</cve>
<bugzilla href="https://bugzilla.redhat.com/761246" id="761246">Bad parsing of network-scripts/ifcfg-xxxx files.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1090011" id="1090011">Need to limit names of new interfaces to IFNAMSIZ</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1113983" id="1113983">netcf should allow interfaces to be configured with both DHCPv4 and static IPv4 addresses at the same time</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1159000" id="1159000">netcf ignores any IPv4 address past the first one</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170941" id="1170941">Remove extraneous single quotes from IPV6ADDR_SECONDARIES</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172176" id="1172176">CVE-2014-8119 netcf: augeas path expression injection via interface name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206680" id="1206680">rebase netcf for RHEL7.2</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="netcf is earlier than 0:0.2.8-1.el7" test_ref="oval:com.redhat.rhsa:tst:20152248005"/>
<criterion comment="netcf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152248006"/>
</criteria>
<criteria operator="AND">
<criterion comment="netcf-devel is earlier than 0:0.2.8-1.el7" test_ref="oval:com.redhat.rhsa:tst:20152248007"/>
<criterion comment="netcf-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152248008"/>
</criteria>
<criteria operator="AND">
<criterion comment="netcf-libs is earlier than 0:0.2.8-1.el7" test_ref="oval:com.redhat.rhsa:tst:20152248009"/>
<criterion comment="netcf-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152248010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152290" version="601">
<metadata>
<title>RHSA-2015:2290: pcs security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2290-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2290.html" source="RHSA"/>
<reference ref_id="CVE-2015-3225" ref_url="https://access.redhat.com/security/cve/CVE-2015-3225" source="CVE"/>
<description>The pcs package provides a configuration tool for Corosync and Pacemaker.
It permits users to easily view, modify and create Pacemaker based
clusters. The pcs package includes Rack, which provides a minimal interface
between webservers that support Ruby and Ruby frameworks.
A flaw was found in a way Rack processed parameters of incoming requests.
An attacker could use this flaw to send a crafted request that would cause
an application using Rack to crash. (CVE-2015-3225)
Red Hat would like to thank Ruby upstream developers for reporting this.
Upstream acknowledges Tomek Rabczak from the NCC Group as the original
reporter.
The pcs package has been upgraded to upstream version 0.9.143, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1198265)
The following enhancements are described in more detail in the Red Hat
Enterprise Linux 7.2 Release Notes, linked to from the References section:
* The pcs resource move and pcs resource ban commands now display a warning
message to clarify the commands' behavior (BZ#1201452)
* New command to move a Pacemaker resource to its preferred node
(BZ#1122818)
This update also fixes the following bugs:
* Before this update, a bug caused location, ordering, and colocation
constraints related to a resource group to be removed when removing any
resource from that group. This bug has been fixed, and the constraints are
now preserved until the group has no resources left, and is removed.
(BZ#1158537)
* Previously, when a user disabled a resource clone or multi-state
resource, and then later enabled a primitive resource within it, the clone
or multi-state resource remained disabled. With this update, enabling a
resource within a disabled clone or multi-state resource enables it.
(BZ#1218979)
* When the web UI displayed a list of resource attributes, a bug caused
the list to be truncated at the first "=" character. This update fixes the
bug and now the web UI displays lists of resource attributes correctly.
(BZ#1243579)
* The documentation for the "pcs stonith confirm" command was not clear.
This could lead to incorrect usage of the command, which could in turn
cause data corruption. With this update, the documentation has been
improved and the "pcs stonith confirm" command is now more clearly
explained. (BZ#1245264)
* Previously, if there were any unauthenticated nodes, creating a new
cluster, adding a node to an existing cluster, or adding a cluster to the
web UI failed with the message "Node is not authenticated". With this
update, when the web UI detects a problem with authentication, the web UI
displays a dialog to authenticate nodes as necessary. (BZ#1158569)
* Previously, the web UI displayed only primitive resources. Thus there was
no way to set attributes, constraints and other properties separately for a
parent resource and a child resource. This has now been fixed, and
resources are displayed in a tree structure, meaning all resource elements
can be viewed and edited independently. (BZ#1189857)
In addition, this update adds the following enhancements:
* A dashboard has been added which shows the status of clusters in the web
UI. Previously, it was not possible to view all important information about
clusters in one place. Now, a dashboard showing the status of clusters has
been added to the main page of the web UI. (BZ#1158566)
* With this update, the pcsd daemon automatically synchronizes pcsd
configuration across a cluster. This enables the web UI to be run from any
node, allowing management even if any particular node is down. (BZ#1158577)
* The web UI can now be used to set permissions for users and groups on a
cluster. This allows users and groups to have their access restricted to
certain operations on certain clusters. (BZ#1158571)
All pcs users are advised to upgrade to this updated package, which
corrects these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-08"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3225">CVE-2015-3225</cve>
<bugzilla href="https://bugzilla.redhat.com/1121791" id="1121791">Provide documentation of batch-limit and other pacemaker properties in man page or pcs help</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1134426" id="1134426">pcs needs a better parser for corosync.conf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1148863" id="1148863">Pcsd backward/forward compatibility issues</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158491" id="1158491">'pcs cluster status' is documented to be an alias to 'pcs status cluster' but has different output</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158537" id="1158537">Removing a resource from a group also removes constraints mentioning that group</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1158571" id="1158571">user and group support in gui - permissions to clusters managed by pcsd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163671" id="1163671">[RFE] Default corosync configuration should log to file</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163682" id="1163682">nodes authentication stops if failed on one node</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1165803" id="1165803">pcs CLI should recognize and act upon "fail due to lack of authentication" state if/as suitable (e.g. for "pcs config restore")</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166160" id="1166160">'pcs acl role create' does not check syntax properly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1170205" id="1170205">pcs cluster auth --force doesn't overwrite /var/lib/pcsd/tokens if its content is corrupt</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1175400" id="1175400">pcs resource op add creates duplicate op entires</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1176687" id="1176687">Pacemaker resource defaults should show up in 'pcs config' output</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182119" id="1182119">A cloned resource banned on one of the nodes is shown as Inactive in GUI</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182793" id="1182793">When attempting to add a duplicate fence level we get a non-useful error message</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182986" id="1182986">Unable to find out value for require-all parameter for ordering constraint with clones</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183752" id="1183752">Unable to delete VirtualDomain resource remote-node when it has configured some constraints</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185096" id="1185096">debug-promote implementation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1186692" id="1186692">cluster node removal should verify possible loss of quorum</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187320" id="1187320">Uncloning a non-cloned resource produces invalid CIB</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187571" id="1187571">ungrouping a resource from a cloned group produces invalid CIB when other resources exist in that group</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1188571" id="1188571">The --wait functionality implementation needs an overhaul</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1189857" id="1189857">need a tree view for clones/MS/groups in the resource panel [GUI]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1196412" id="1196412">pcs cluster start should go to pcsd if user is not root</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1197758" id="1197758">pcs does not inform about incorrect command usage (pcs constraint order set)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198222" id="1198222">pcsd: GUI fails if orphaned resource is present in a cluster</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198265" id="1198265">PCS Rebase bug for 7.2</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198274" id="1198274">pcsd: don't automatically use --force everytime a resource is being removed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198640" id="1198640">[WebUI] spaces not allowed in resource agent options fields</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199073" id="1199073">creating a resource name colliding with an existing group/clone/master ID needs better error message</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202457" id="1202457">Referencing a non-existent ACL role should error out more gracefully</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1204880" id="1204880">pcs: stonith level value checking</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205653" id="1205653">pcsd gui is not able to remove constraints and standby/unstandby nodes of remote cluster</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206214" id="1206214">Formatting of longdesc metadata of resource agent is destroyed when using "pcs resource describe"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206219" id="1206219">pcs stonith describe only lists parameters of fence agent, but not description</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207805" id="1207805">Need a way for pcs to clear out auth tokens</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212904" id="1212904">better integration with standalone (unbundled) clufter package for cluster configuration conversion</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213429" id="1213429">Cluster request fails on first node if this is not authorized</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1215198" id="1215198">pcsd: GUI ignores timeout value in fence_xvm agent form</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1219574" id="1219574">[gui] resource optional arguments: quoted strings missing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1231987" id="1231987">pcs ought to require psmisc package (hidden dependency for killall execution)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1232292" id="1232292">CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1235022" id="1235022">Nagios metadata is missing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1247818" id="1247818">pcs depends on initscripts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1250720" id="1250720">traceback when running 'pcs resource enable clvmd --wait'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253491" id="1253491">pcs status pcsd shows "Unable to authenticate" on serial console</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1257369" id="1257369">pcs should print the output of crm_resource from pcs resource cleanup commands</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1258619" id="1258619">Ruby traceback on pcsd startup - /webrick.rb:48:in `shutdown': undefined method `shutdown'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265425" id="1265425">pcs is not parsing the output of crm_node properly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1268801" id="1268801">A change in "crm_resource --set-parameter is-managed" introduces regression for Clone and M/S resources</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="pcs is earlier than 0:0.9.143-15.el7" test_ref="oval:com.redhat.rhsa:tst:20152290005"/>
<criterion comment="pcs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150980006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152315" version="601">
<metadata>
<title>RHSA-2015:2315: NetworkManager security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2315-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2315.html" source="RHSA"/>
<reference ref_id="CVE-2015-0272" ref_url="https://access.redhat.com/security/cve/CVE-2015-0272" source="CVE"/>
<reference ref_id="CVE-2015-2924" ref_url="https://access.redhat.com/security/cve/CVE-2015-2924" source="CVE"/>
<description>NetworkManager is a system network service that manages network devices
and connections.
It was discovered that NetworkManager would set device MTUs based on MTU
values received in IPv6 RAs (Router Advertisements), without sanity
checking the MTU value first. A remote attacker could exploit this flaw to
create a denial of service attack, by sending a specially crafted IPv6 RA
packet to disturb IPv6 communication. (CVE-2015-0272)
A flaw was found in the way NetworkManager handled router advertisements.
An unprivileged user on a local network could use IPv6 Neighbor Discovery
ICMP to broadcast a non-route with a low hop limit, causing machines to
lower the hop limit on existing IPv6 routes. If this limit is small enough,
IPv6 packets would be dropped before reaching the final destination.
(CVE-2015-2924)
The network-manager-applet and NetworkManager-libreswan packages have been
upgraded to upstream versions 1.0.6, and provide a number of bug fixes and
enhancements over the previous versions. (BZ#1177582, BZ#1243057)
Bugs:
* It was not previously possible to set the Wi-Fi band to the "a" or "bg"
values to lock to a specific frequency band. NetworkManager has been fixed,
and it now sets the wpa_supplicant's "freq_list" option correctly, which
enables proper Wi-Fi band locking. (BZ#1254461)
* NetworkManager immediately failed activation of devices that did not have
a carrier early in the boot process. The legacy network.service then
reported activation failure. Now, NetworkManager has a grace period during
which it waits for the carrier to appear. Devices that have a carrier down
for a short time on system startup no longer cause the legacy
network.service to fail. (BZ#1079353)
* NetworkManager brought down a team device if the teamd service managing
it exited unexpectedly, and the team device was deactivated. Now,
NetworkManager respawns the teamd instances that disappear and is able to
recover from a teamd failure avoiding disruption of the team device
operation. (BZ#1145988)
* NetworkManager did not send the FQDN DHCP option even if host name was
set to FQDN. Consequently, Dynamic DNS (DDNS) setups failed to update the
DNS records for clients running NetworkManager. Now, NetworkManager sends
the FQDN option with DHCP requests, and the DHCP server is able to create
DNS records for such clients. (BZ#1212597)
* The command-line client was not validating the vlan.flags property
correctly, and a spurious warning message was displayed when the nmcli tool
worked with VLAN connections. The validation routine has been fixed, and
the warning message no longer appears. (BZ#1244048)
* NetworkManager did not propagate a media access control (MAC) address
change from a bonding interface to a VLAN interface on top of it.
Consequently, a VLAN interface on top of a bond used an incorrect MAC
address. Now, NetworkManager synchronizes the addresses correctly.
(BZ#1264322)
Enhancements:
* IPv6 Privacy extensions are now enabled by default. NetworkManager checks
the per-network configuration files, NetworkManager.conf, and then falls
back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" to determine and set
IPv6 privacy settings at device activation. (BZ#1187525)
* The NetworkManager command-line tool, nmcli, now allows setting the
wake-on-lan property to 0 ("none", "disable", "disabled"). (BZ#1260584)
* NetworkManager now provides information about metered connections.
(BZ#1200452)
* NetworkManager daemon and the connection editor now support setting the
Maximum Transmission Unit (MTU) of a bond. It is now possible to change MTU
of a bond interface in a GUI. (BZ#1177582, BZ#1177860)
* NetworkManager daemon and the connection editor now support setting the
MTU of a team, allowing to change MTU of a teaming interface. (BZ#1255927)
NetworkManager users are advised to upgrade to these updated packages,
which correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-15"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0272">CVE-2015-0272</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2924">CVE-2015-2924</cve>
<bugzilla href="https://bugzilla.redhat.com/918692" id="918692">PIN/Password dialog for Mobile Broadband forces user to enter password, even if it's not needed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1062301" id="1062301">NetworkManager should provide a way to reload a configuration and to refresh resolv.conf if necessary</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1139536" id="1139536">[RFE] Improve handling of DEVICE and HWADDR in nm-connection-editor</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1141417" id="1141417">Persistent wake on lan across reboot</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168388" id="1168388">veth device goes down when ipv4 dhcp lease expires</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1168657" id="1168657">nmcli hangs when deleting profile two times</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182575" id="1182575">[nmcli] Can't add certificate blob via nmcli as description states</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183015" id="1183015">ipv6.method shared prevents connection from being upped</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1183444" id="1183444">Attaching a team device to a bridge doesn't work.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187525" id="1187525">Enable privacy extensions by default</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1192132" id="1192132">CVE-2015-0272 kernel/NetworkManager: remote DoS using IPv6 RA with bogus MTU</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1200451" id="1200451">feature request: Indicate 2ghz and 5ghz wifi device capabilities</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1200452" id="1200452">feature request: provide information about metered connections</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1201497" id="1201497">[PATCH] fix a configure-and-quit=yes bug when DHCP client ID is set and hostname is not given</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1207730" id="1207730">Continuous IPv6 router solicitation loop</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209902" id="1209902">CVE-2015-2924 NetworkManager: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211133" id="1211133">high cpu use with many IPv6 cloned routes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211859" id="1211859">_nl_get_vtable: assertion 'vtable.handle' failed</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1229471" id="1229471">[bluez5] add DUN support to nm-connection-editor</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1238840" id="1238840">libreswan vpn is not working</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1243057" id="1243057">Update to NetworkManager-openswan/libreswan 1.0.6 or later</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244293" id="1244293">NetworkManager support for secondary IPv6 addresses</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1246496" id="1246496">dhclient is terminated and won't start after restart NetworkManager</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1250019" id="1250019">NetworkManager doesn't handle MTU correctly</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1250723" id="1250723">Updating IPv4 address lifetime causes VPN disconnection</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1251954" id="1251954">Can activate a DUN connection only once</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253744" id="1253744">segfault while trying to connect to VPN</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1254089" id="1254089">Netlink error at 'link_change' function when net interface dynamic plug out and plug in on Xen</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1254461" id="1254461">Wi-Fi band-locking doesn't work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1255735" id="1255735">Dialog run by nm-connection-editor --create --type=vlan doesn't offer connections (eg bond) as parents</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1256772" id="1256772">NetworkManager quits prematurely with "configure-and-quit"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1261428" id="1261428">ipv6 dns set even if ipv6.ignore-auto-dns set yes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1264024" id="1264024">no network on xen guests: Error: Connection activation failed: No suitable device found for this connection.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1264089" id="1264089">cannot add adsl type connection</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1264361" id="1264361">backport upstream bugfix to platform handling links in different netns (IFLA_LINK_NETNSID)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267326" id="1267326">libnm-gtk: fix a possible crash in functions handling password entry</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267330" id="1267330">libnm-gtk: remove underscore from tooltip and use symbolic icons for password location icons</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267462" id="1267462">NetworkManager segfault on_bss_proxy_acquired</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267672" id="1267672">fix crash in nmtui when requesting password</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1268030" id="1268030">20 seconds timeout is not sufficient for VPN password entry</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1271973" id="1271973">no more vpn dialog after previous canceling</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272023" id="1272023">vpn password request still visible after timeout (3 mins)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272974" id="1272974">Fix regression detecting s390 CTC devices</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ModemManager is earlier than 0:1.1.0-8.git20130913.el7" test_ref="oval:com.redhat.rhsa:tst:20152315009"/>
<criterion comment="ModemManager is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ModemManager-devel is earlier than 0:1.1.0-8.git20130913.el7" test_ref="oval:com.redhat.rhsa:tst:20152315005"/>
<criterion comment="ModemManager-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ModemManager-glib is earlier than 0:1.1.0-8.git20130913.el7" test_ref="oval:com.redhat.rhsa:tst:20152315007"/>
<criterion comment="ModemManager-glib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315008"/>
</criteria>
<criteria operator="AND">
<criterion comment="ModemManager-glib-devel is earlier than 0:1.1.0-8.git20130913.el7" test_ref="oval:com.redhat.rhsa:tst:20152315013"/>
<criterion comment="ModemManager-glib-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ModemManager-vala is earlier than 0:1.1.0-8.git20130913.el7" test_ref="oval:com.redhat.rhsa:tst:20152315011"/>
<criterion comment="ModemManager-vala is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libnm-gtk is earlier than 0:1.0.6-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152315019"/>
<criterion comment="libnm-gtk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315020"/>
</criteria>
<criteria operator="AND">
<criterion comment="libnm-gtk-devel is earlier than 0:1.0.6-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152315017"/>
<criterion comment="libnm-gtk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315018"/>
</criteria>
<criteria operator="AND">
<criterion comment="network-manager-applet is earlier than 0:1.0.6-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152315021"/>
<criterion comment="network-manager-applet is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315022"/>
</criteria>
<criteria operator="AND">
<criterion comment="nm-connection-editor is earlier than 0:1.0.6-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152315015"/>
<criterion comment="nm-connection-editor is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315016"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-libreswan is earlier than 0:1.0.6-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152315025"/>
<criterion comment="NetworkManager-libreswan is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315026"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-libreswan-gnome is earlier than 0:1.0.6-3.el7" test_ref="oval:com.redhat.rhsa:tst:20152315023"/>
<criterion comment="NetworkManager-libreswan-gnome is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315024"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315035"/>
<criterion comment="NetworkManager is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315036"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-adsl is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315029"/>
<criterion comment="NetworkManager-adsl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315030"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-bluetooth is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315051"/>
<criterion comment="NetworkManager-bluetooth is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315052"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-config-routing-rules is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315053"/>
<criterion comment="NetworkManager-config-routing-rules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315054"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-config-server is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315047"/>
<criterion comment="NetworkManager-config-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315048"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-devel is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315031"/>
<criterion comment="NetworkManager-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315032"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-glib is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315049"/>
<criterion comment="NetworkManager-glib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315050"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-glib-devel is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315037"/>
<criterion comment="NetworkManager-glib-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315038"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-libnm is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315039"/>
<criterion comment="NetworkManager-libnm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315040"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-libnm-devel is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315027"/>
<criterion comment="NetworkManager-libnm-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315028"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-team is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315045"/>
<criterion comment="NetworkManager-team is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315046"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-tui is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315043"/>
<criterion comment="NetworkManager-tui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315044"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-wifi is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315041"/>
<criterion comment="NetworkManager-wifi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315042"/>
</criteria>
<criteria operator="AND">
<criterion comment="NetworkManager-wwan is earlier than 1:1.0.6-27.el7" test_ref="oval:com.redhat.rhsa:tst:20152315033"/>
<criterion comment="NetworkManager-wwan is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152315034"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152345" version="601">
<metadata>
<title>RHSA-2015:2345: net-snmp security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2345-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2345.html" source="RHSA"/>
<reference ref_id="CVE-2014-3565" ref_url="https://access.redhat.com/security/cve/CVE-2014-3565" source="CVE"/>
<description>The net-snmp packages provide various libraries and tools for the Simple
Network Management Protocol (SNMP), including an SNMP library, an
extensible agent, tools for requesting or setting information from SNMP
agents, tools for generating and handling SNMP traps, a version of the
netstat command which uses SNMP, and a Tk/Perl Management Information Base
(MIB) browser.
A denial of service flaw was found in the way snmptrapd handled certain
SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP
trap containing a variable with a NULL type where an integer variable type
was expected, it would cause snmptrapd to crash. (CVE-2014-3565)
This update also fixes the following bugs:
* Previously, the clientaddr option in the snmp.conf file affected outgoing
messages sent only over IPv4. With this release, outgoing IPv6 messages are
correctly sent from the interface specified by clientaddr. (BZ#1190679)
* The Net-SNMP daemon, snmpd, did not properly clean memory when reloading
its configuration file with multiple "exec" entries. Consequently, the
daemon terminated unexpectedly. Now, the memory is properly cleaned, and
snmpd no longer crashes on reload. (BZ#1228893)
* Prior to this update, snmpd did not parse complete IPv4 traffic
statistics, but reported the number of received or sent bytes in the
IP-MIB::ipSystemStatsTable only for IPv6 packets and not for IPv4.
This affected objects ipSystemStatsInOctets, ipSystemStatsOutOctets,
ipSystemStatsInMcastOctets, and ipSystemStatsOutMcastOctets. Now, the
statistics reported by snmpd are collected for IPv4 as well. (BZ#1235697)
* The Net-SNMP daemon, snmpd, did not correctly detect the file system
change from read-only to read-write. Consequently, after remounting the
file system into the read-write mode, the daemon reported it to be still
in the read-only mode. A patch has been applied, and snmpd now detects the
mode changes as expected. (BZ#1241897)
All net-snmp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-19"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-3565">CVE-2014-3565</cve>
<bugzilla href="https://bugzilla.redhat.com/1092308" id="1092308">backport diskio device filtering</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1125155" id="1125155">CVE-2014-3565 net-snmp: snmptrapd crash when handling an SNMP trap containing a ifMtu with a NULL type</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1151310" id="1151310">snmptrap can't create (or write to) /var/lib/net-snmp/snmpapp.conf if isn't run under root</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1184433" id="1184433">udpTable has wrong indices</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1190679" id="1190679">In IPv6, snmp packet does not send from specified interface assigned by clientaddr option in snmpd.conf.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1193006" id="1193006">net-snmp "storageUseNFS 2" option does not report NFS mount as "Fixed Disks"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252034" id="1252034">net-snmp-python contains zeros in IP address (IPADDR type) on big-endian architectures</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252048" id="1252048">net-snmp snmpd fork() overhead [fix available]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1252053" id="1252053">net-snmp does not display correct lm_sensors sensor data / missing CPU cores</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="net-snmp is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345017"/>
<criterion comment="net-snmp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636008"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-agent-libs is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345021"/>
<criterion comment="net-snmp-agent-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636026"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-devel is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345013"/>
<criterion comment="net-snmp-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636012"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-gui is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345015"/>
<criterion comment="net-snmp-gui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636030"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-libs is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345005"/>
<criterion comment="net-snmp-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636010"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-perl is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345011"/>
<criterion comment="net-snmp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636016"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-python is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345009"/>
<criterion comment="net-snmp-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636014"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-sysvinit is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345019"/>
<criterion comment="net-snmp-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636024"/>
</criteria>
<criteria operator="AND">
<criterion comment="net-snmp-utils is earlier than 1:5.7.2-24.el7" test_ref="oval:com.redhat.rhsa:tst:20152345007"/>
<criterion comment="net-snmp-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151636006"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152355" version="601">
<metadata>
<title>RHSA-2015:2355: sssd security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2355-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2355.html" source="RHSA"/>
<reference ref_id="CVE-2015-5292" ref_url="https://access.redhat.com/security/cve/CVE-2015-5292" source="CVE"/>
<description>The System Security Services Daemon (SSSD) service provides a set of
daemons to manage access to remote directories and authentication
mechanisms.
It was found that SSSD's Privilege Attribute Certificate (PAC) responder
plug-in would leak a small amount of memory on each authentication request.
A remote attacker could potentially use this flaw to exhaust all available
memory on the system by making repeated requests to a Kerberized daemon
application configured to authenticate using the PAC responder plug-in.
(CVE-2015-5292)
The sssd packages have been upgraded to upstream version 1.13.0, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1205554)
Several enhancements are described in the Red Hat Enterprise Linux 7.2
Release Notes, linked to in the References section:
* SSSD smart card support (BZ#854396)
* Cache authentication in SSSD (BZ#910187)
* SSSD supports overriding automatically discovered AD site (BZ#1163806)
* SSSD can now deny SSH access to locked accounts (BZ#1175760)
* SSSD enables UID and GID mapping on individual clients (BZ#1183747)
* Background refresh of cached entries (BZ#1199533)
* Multi-step prompting for one-time and long-term passwords (BZ#1200873)
* Caching for initgroups operations (BZ#1206575)
Bugs fixed:
* When the SELinux user content on an IdM server was set to an empty
string, the SSSD SELinux evaluation utility returned an error. (BZ#1192314)
* If the ldap_child process failed to initialize credentials and exited
with an error multiple times, operations that create files in some cases
started failing due to an insufficient amount of i-nodes. (BZ#1198477)
* The SRV queries used a hard coded TTL timeout, and environments that
wanted the SRV queries to be valid for a certain time only were blocked.
Now, SSSD parses the TTL value out of the DNS packet. (BZ#1199541)
* Previously, initgroups operation took an excessive amount of time. Now,
logins and ID processing are faster for setups with AD back end and
disabled ID mapping. (BZ#1201840)
* When an IdM client with Red Hat Enterprise Linux 7.1 or later was
connecting to a server with Red Hat Enterprise Linux 7.0 or earlier,
authentication with an AD trusted domain caused the sssd_be process to
terminate unexpectedly. (BZ#1202170)
* If replication conflict entries appeared during HBAC processing, the user
was denied access. Now, the replication conflict entries are skipped and
users are permitted access. (BZ#1202245)
* The array of SIDs no longer contains an uninitialized value and SSSD no
longer crashes. (BZ#1204203)
* SSSD supports GPOs from different domain controllers and no longer
crashes when processing GPOs from different domain controllers.
(BZ#1205852)
* SSSD could not refresh sudo rules that contained groups with special
characters, such as parentheses, in their name. (BZ#1208507)
* The IPA names are not qualified on the client side if the server already
qualified them, and IdM group members resolve even if default_domain_suffix
is used on the server side. (BZ#1211830)
* The internal cache cleanup task has been disabled by default to improve
performance of the sssd_be process. (BZ#1212489)
* Now, default_domain_suffix is not considered anymore for autofs maps.
(BZ#1216285)
* The user can set subdomain_inherit=ignore_group-members to disable
fetching group members for trusted domains. (BZ#1217350)
* The group resolution failed with an error message: "Error: 14 (Bad
address)". The binary GUID handling has been fixed. (BZ#1226119)
Enhancements added:
* The description of default_domain_suffix has been improved in the manual
pages. (BZ#1185536)
* With the new "%0" template option, users on SSSD IdM clients can now use
home directories set on AD. (BZ#1187103)
All sssd users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-22"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5292">CVE-2015-5292</cve>
<bugzilla href="https://bugzilla.redhat.com/854396" id="854396">[RFE] Support for smart cards</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1007968" id="1007968">sssd does not create AAAA record in AD</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163806" id="1163806">[RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187103" id="1187103">[RFE] User's home directories are not taken from AD when there is an IPA trust with AD</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187146" id="1187146">If v4 address exists, will not create nonexistant v6 in ipa domain</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1192314" id="1192314">With empty ipaselinuxusermapdefault security context on client is staff_u</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199445" id="1199445">Does sssd-ad use the most suitable attribute for group name?</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1200873" id="1200873">[RFE] Allow smart multi step prompting when user logs in with password and token code from IPA</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1201840" id="1201840">SSSD downloads too much information when fetching information about groups</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202245" id="1202245">SSSD's HBAC processing is not permissive enough with broken replication entries</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1202724" id="1202724">[RFE] Add a way to lookup users based on CAC identity certificates</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203642" id="1203642">GPO access control looks for computer object in user's domain only</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205144" id="1205144">RFE: Support one-way trusts for IPA</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205160" id="1205160">Complain loudly if backend doesn't start due to missing or invalid keytab</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205554" id="1205554">Rebase SSSD to 1.13.x</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206189" id="1206189">[bug] sssd always appends default_domain_suffix when checking for host keys</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206565" id="1206565">[RFE] Add dualstack and multihomed support</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206566" id="1206566">SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206571" id="1206571">[RFE] Expose D-BUS interface</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211830" id="1211830">external users do not resolve with "default_domain_suffix" set in IPA server sssd.conf</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214337" id="1214337">Overrides with --login work in second attempt</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214716" id="1214716">idoverridegroup for ipa group with --group-name does not work</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214718" id="1214718">Overridde with --login fails trusted adusers group membership resolution</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214719" id="1214719">Group resolution is inconsistent with group overrides</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1216285" id="1216285">autofs provider fails when default_domain_suffix and use_fully_qualified_names set</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1217127" id="1217127">Override for IPA users with login does not list user all groups</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1217559" id="1217559">[RFE] Support GPOs from different domain controllers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1219285" id="1219285">Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1234722" id="1234722">sssd ad provider fails to start in rhel7.2</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1242942" id="1242942">well-known SID check is broken for NetBIOS prefixes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1244949" id="1244949">getgrgid for user's UID on a trust client prevents getpw*</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1246489" id="1246489">sss_obfuscate fails with "ImportError: No module named pysss"</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1249015" id="1249015">KDC proxy not working with SSSD krb5_use_kdcinfo enabled</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1250135" id="1250135">Detect re-established trusts in the IPA subdomain code</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1254184" id="1254184">sss_override does not work correctly when 'use_fully_qualified_names = True'</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1254189" id="1254189">sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1254518" id="1254518">Fix crash in nss responder</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1259512" id="1259512">sss_override : The local override user is not found</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1261155" id="1261155">nsupdate exits on first GSSAPI error instead of processing other commands</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1263587" id="1263587">sss_override --name doesn't work with RFC2307 and ghost users</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1263735" id="1263735">Could not resolve AD user from root domain</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1266107" id="1266107">AD: Conditional jump or move depends on uninitialised value</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267176" id="1267176">Memory leak / possible DoS with krb auth. [rhel 7.2]</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267580" id="1267580">CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267836" id="1267836">PAM responder crashed if user was not set</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267837" id="1267837">sssd_be crashed in ipa_srv_ad_acct_lookup_step</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1270827" id="1270827">local overrides: don't contact server with overridden name/id</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libipa_hbac is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355005"/>
<criterion comment="libipa_hbac is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libipa_hbac-devel is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355047"/>
<criterion comment="libipa_hbac-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355048"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsss_idmap is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355049"/>
<criterion comment="libsss_idmap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355050"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsss_idmap-devel is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355045"/>
<criterion comment="libsss_idmap-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355046"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsss_nss_idmap is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355017"/>
<criterion comment="libsss_nss_idmap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355018"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsss_nss_idmap-devel is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355039"/>
<criterion comment="libsss_nss_idmap-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsss_simpleifp is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355021"/>
<criterion comment="libsss_simpleifp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355022"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsss_simpleifp-devel is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355011"/>
<criterion comment="libsss_simpleifp-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355012"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-libipa_hbac is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355043"/>
<criterion comment="python-libipa_hbac is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355044"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-libsss_nss_idmap is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355029"/>
<criterion comment="python-libsss_nss_idmap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355030"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-sss is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355033"/>
<criterion comment="python-sss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355034"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-sss-murmur is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355053"/>
<criterion comment="python-sss-murmur is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355054"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-sssdconfig is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355057"/>
<criterion comment="python-sssdconfig is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355058"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355051"/>
<criterion comment="sssd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355052"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-ad is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355007"/>
<criterion comment="sssd-ad is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355008"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-client is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355055"/>
<criterion comment="sssd-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355056"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-common is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355041"/>
<criterion comment="sssd-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355042"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-common-pac is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355037"/>
<criterion comment="sssd-common-pac is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355038"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-dbus is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355027"/>
<criterion comment="sssd-dbus is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355028"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-ipa is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355025"/>
<criterion comment="sssd-ipa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355026"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-krb5 is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355009"/>
<criterion comment="sssd-krb5 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355010"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-krb5-common is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355013"/>
<criterion comment="sssd-krb5-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355014"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-ldap is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355019"/>
<criterion comment="sssd-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355020"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-libwbclient is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355023"/>
<criterion comment="sssd-libwbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355024"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-libwbclient-devel is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355031"/>
<criterion comment="sssd-libwbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355032"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-proxy is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355035"/>
<criterion comment="sssd-proxy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355036"/>
</criteria>
<criteria operator="AND">
<criterion comment="sssd-tools is earlier than 0:1.13.0-40.el7" test_ref="oval:com.redhat.rhsa:tst:20152355015"/>
<criterion comment="sssd-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152355016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152360" version="601">
<metadata>
<title>RHSA-2015:2360: cups-filters security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2360-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2360.html" source="RHSA"/>
<reference ref_id="CVE-2015-3258" ref_url="https://access.redhat.com/security/cve/CVE-2015-3258" source="CVE"/>
<reference ref_id="CVE-2015-3279" ref_url="https://access.redhat.com/security/cve/CVE-2015-3279" source="CVE"/>
<description>The cups-filters packages contain back ends, filters, and other software
that was once part of the core Common UNIX Printing System (CUPS)
distribution but is now maintained independently.
A heap-based buffer overflow flaw and an integer overflow flaw leading to a
heap-based buffer overflow were discovered in the way the texttopdf utility
of cups-filter processed print jobs with a specially crafted line size.
An attacker able to submit print jobs could use these flaws to crash
texttopdf or, possibly, execute arbitrary code with the privileges of the
"lp" user. (CVE-2015-3258, CVE-2015-3279)
The CVE-2015-3258 issue was discovered by Petr Sklenar of Red Hat.
Notably, this update also fixes the following bug:
* Previously, when polling CUPS printers from a CUPS server, when a printer
name contained an underscore (_), the client displayed the name containing
a hyphen (-) instead. This made the print queue unavailable. With this
update, CUPS allows the underscore character in printer names, and printers
appear as shown on the CUPS server as expected. (BZ#1167408)
In addition, this update adds the following enhancement:
* Now, the information from local and remote CUPS servers is cached during
each poll, and the CUPS server load is reduced. (BZ#1191691)
All cups-filters users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues and add this
enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-22"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3258">CVE-2015-3258</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3279">CVE-2015-3279</cve>
<bugzilla href="https://bugzilla.redhat.com/1167408" id="1167408">Cups is failing to poll Printers containing a "_" in the Name</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1191691" id="1191691">cups-browsed very inefficient</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1223719" id="1223719">Cups is not pulling Description of Printers from Cups server</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1235385" id="1235385">CVE-2015-3258 cups-filters: texttopdf heap-based buffer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1238990" id="1238990">CVE-2015-3279 cups-filters: texttopdf integer overflow</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="cups-filters is earlier than 0:1.0.35-21.el7" test_ref="oval:com.redhat.rhsa:tst:20152360009"/>
<criterion comment="cups-filters is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141795006"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-filters-devel is earlier than 0:1.0.35-21.el7" test_ref="oval:com.redhat.rhsa:tst:20152360005"/>
<criterion comment="cups-filters-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141795008"/>
</criteria>
<criteria operator="AND">
<criterion comment="cups-filters-libs is earlier than 0:1.0.35-21.el7" test_ref="oval:com.redhat.rhsa:tst:20152360007"/>
<criterion comment="cups-filters-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141795010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152369" version="601">
<metadata>
<title>RHSA-2015:2369: openhpi security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2369-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2369.html" source="RHSA"/>
<reference ref_id="CVE-2015-3248" ref_url="https://access.redhat.com/security/cve/CVE-2015-3248" source="CVE"/>
<description>OpenHPI is an open source project created with the intent of providing an
implementation of the SA Forum's Hardware Platform Interface (HPI).
HPI provides an abstracted interface to managing computer hardware,
typically for chassis and rack based servers. HPI includes resource
modeling, access to and control over sensor, control, watchdog, and
inventory data associated with resources, abstracted System Event Log
interfaces, hardware events and alerts, and a managed hotswap interface.
It was found that the "/var/lib/openhpi" directory provided by OpenHPI used
world-writeable and world-readable permissions. A local user could use this
flaw to view, modify, and delete OpenHPI-related data, or even fill up the
storage device hosting the /var/lib directory. (CVE-2015-3248)
This issue was discovered by Marko Myllynen of Red Hat.
The openhpi packages have been upgraded to upstream version 3.4.0, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1127908)
This update also fixes the following bug:
* Network timeouts were handled incorrectly in the openhpid daemon. As a
consequence, network connections could fail when external plug-ins were
used. With this update, handling of network socket timeouts has been
improved in openhpid, and the described problem no longer occurs.
(BZ#1208127)
All openhpi users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-23"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3248">CVE-2015-3248</cve>
<bugzilla href="https://bugzilla.redhat.com/1233520" id="1233520">CVE-2015-3248 openhpi: world writable /var/lib/openhpi directory</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openhpi is earlier than 0:3.4.0-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152369005"/>
<criterion comment="openhpi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152369006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openhpi-devel is earlier than 0:3.4.0-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152369009"/>
<criterion comment="openhpi-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152369010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openhpi-libs is earlier than 0:3.4.0-2.el7" test_ref="oval:com.redhat.rhsa:tst:20152369007"/>
<criterion comment="openhpi-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152369008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152378" version="601">
<metadata>
<title>RHSA-2015:2378: squid security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2378-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2378.html" source="RHSA"/>
<reference ref_id="CVE-2015-3455" ref_url="https://access.redhat.com/security/cve/CVE-2015-3455" source="CVE"/>
<description>Squid is a high-performance proxy caching server for web clients,
supporting FTP, Gopher, and HTTP data objects.
It was found that Squid configured with client-first SSL-bump did not
correctly validate X.509 server certificate host name fields. A
man-in-the-middle attacker could use this flaw to spoof a Squid server
using a specially crafted X.509 certificate. (CVE-2015-3455)
This update fixes the following bugs:
* Previously, the squid process did not handle file descriptors correctly
when receiving Simple Network Management Protocol (SNMP) requests. As a
consequence, the process gradually accumulated open file descriptors. This
bug has been fixed and squid now handles SNMP requests correctly, closing
file descriptors when necessary. (BZ#1198778)
* Under high system load, the squid process sometimes terminated
unexpectedly with a segmentation fault during reboot. This update provides
better memory handling during reboot, thus fixing this bug. (BZ#1225640)
Users of squid are advised to upgrade to these updated packages, which fix
these bugs. After installing this update, the squid service will be
restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-25"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3455">CVE-2015-3455</cve>
<bugzilla href="https://bugzilla.redhat.com/1102842" id="1102842">missing /var/run/squid needed for smp mode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1161600" id="1161600">Squid does not serve cached responses with Vary headers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198778" id="1198778">Filedescriptor leaks on snmp</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1204375" id="1204375">squid sends incorrect ssl chain breaking newer gnutls using applications</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218118" id="1218118">CVE-2015-3455 squid: incorrect X509 server certificate validation (SQUID-2015:1)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1263338" id="1263338">squid with digest auth on big endian systems start looping</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="squid is earlier than 7:3.3.8-26.el7" test_ref="oval:com.redhat.rhsa:tst:20152378005"/>
<criterion comment="squid is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141147006"/>
</criteria>
<criteria operator="AND">
<criterion comment="squid-sysvinit is earlier than 7:3.3.8-26.el7" test_ref="oval:com.redhat.rhsa:tst:20152378007"/>
<criterion comment="squid-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141147008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152383" version="601">
<metadata>
<title>RHSA-2015:2383: pacemaker security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2383-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2383.html" source="RHSA"/>
<reference ref_id="CVE-2015-1867" ref_url="https://access.redhat.com/security/cve/CVE-2015-1867" source="CVE"/>
<description>The Pacemaker Resource Manager is a collection of technologies working
together to provide data integrity and the ability to maintain
application availability in the event of a failure.
A flaw was found in the way pacemaker, a cluster resource manager,
evaluated added nodes in certain situations. A user with read-only access
could potentially assign any other existing roles to themselves and then
add privileges to other users as well. (CVE-2015-1867)
The pacemaker packages have been upgraded to upstream version 1.1.13, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#1234680)
This update also fixes the following bugs:
* When a Pacemaker cluster included an Apache resource, and Apache's
mod_systemd module was enabled, systemd rejected notifications sent by
Apache. As a consequence, a large number of errors in the following format
appeared in the system log:
Got notification message from PID XXXX, but reception only permitted
for PID YYYY
With this update, the lrmd daemon now unsets the "NOTIFY_SOCKET" variable
in the described circumstances, and these error messages are no longer
logged. (BZ#1150184)
* Previously, specifying a remote guest node as a part of a group resource
in a Pacemaker cluster caused the node to stop working. This update adds
support for remote guests in Pacemaker group resources, and the described
problem no longer occurs. (BZ#1168637)
* When a resource in a Pacemaker cluster failed to start, Pacemaker updated
the resource's last failure time and incremented its fail count even if the
"on-fail=ignore" option was used. This in some cases caused unintended
resource migrations when a resource start failure occurred. Now, Pacemaker
does not update the fail count when "on-fail=ignore" is used. As a result,
the failure is displayed in the cluster status output, but is properly
ignored and thus does not cause resource migration. (BZ#1200849)
* Previously, Pacemaker supported semicolon characters (";") as delimiters
when parsing the pcmk_host_map string, but not when parsing the
pcmk_host_list string. To ensure consistent user experience, semicolons are
now supported as delimiters for parsing pcmk_host_list, as well.
(BZ#1206232)
In addition, this update adds the following enhancements:
* If a Pacemaker location constraint has the "resource-discovery=never"
option, Pacemaker now does not attempt to determine whether a specified
service is running on the specified node. In addition, if multiple location
constraints for a given resource specify "resource-discovery=exclusive",
then Pacemaker attempts resource discovery only on the nodes specified in
those constraints. This allows Pacemaker to skip resource discovery on
nodes where attempting the operation would lead to error or other
undesirable behavior. (BZ#1108853)
* The procedure of configuring fencing for redundant power supplies has
been simplified in order to prevent multiple nodes accessing cluster
resources at the same time and thus causing data corruption. For further
information, see the "Fencing: Configuring STONITH" chapter of the High
Availability Add-On Reference manual. (BZ#1206647)
* The output of the "crm_mon" and "pcs_status" commands has been modified
to be clearer and more concise, and thus easier to read when reporting
the status of a Pacemaker cluster with a large number of remote nodes and
cloned resources. (BZ#1115840)
All pacemaker users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-06-29"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1867">CVE-2015-1867</cve>
<bugzilla href="https://bugzilla.redhat.com/1162727" id="1162727">member weirdness when adding/removing nodes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1172539" id="1172539">Node ends up in a reboot loop when a resource with the same name exists</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182244" id="1182244">crm_resource --restart broken</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1182614" id="1182614">Logs full of: error: gio_poll_dispatch_update: Adaptor for descriptor 8 is not in-use</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1187321" id="1187321">pacemaker - libqb dependency needs update</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1194475" id="1194475">edge case causes colocation constraint not to be honored.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1200785" id="1200785">pacemaker-cli requires pacemaker but does not depend on it</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1200849" id="1200849">crmd: Resource marked with failcount=INFINITY on start failure with on-fail=ignore</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1203053" id="1203053">Nagios metadata is missing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1205188" id="1205188">debug-promote implementation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1206232" id="1206232">fencing: Allow semi-colon delimiter for pcmk_host_list</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211370" id="1211370">CVE-2015-1867 pacemaker: acl read-only access allow role assignment</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211833" id="1211833">systemd resources are shut down before the cluster at reboot</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1212647" id="1212647">crm_resource -C works inconsistently with clearing resources on baremetal remote nodes</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1225854" id="1225854">Error in `/usr/sbin/crm_resource': free(): invalid pointer: 0x00007f7199482848</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1234680" id="1234680">Rebase Pacemaker to obtain pacemaker-remote fixes for OSP</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1246291" id="1246291">lrmd killed by SIGSEGV</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267265" id="1267265">A change in "crm_resource --set-parameter is-managed" introduces regression for Clone and M/S resources</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="pacemaker is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383013"/>
<criterion comment="pacemaker is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383014"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-cli is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383017"/>
<criterion comment="pacemaker-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383018"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-cluster-libs is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383005"/>
<criterion comment="pacemaker-cluster-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383006"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-cts is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383011"/>
<criterion comment="pacemaker-cts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383012"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-doc is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383019"/>
<criterion comment="pacemaker-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383020"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-libs is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383007"/>
<criterion comment="pacemaker-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383008"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-libs-devel is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383015"/>
<criterion comment="pacemaker-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383016"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-nagios-plugins-metadata is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383009"/>
<criterion comment="pacemaker-nagios-plugins-metadata is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383010"/>
</criteria>
<criteria operator="AND">
<criterion comment="pacemaker-remote is earlier than 0:1.1.13-10.el7" test_ref="oval:com.redhat.rhsa:tst:20152383021"/>
<criterion comment="pacemaker-remote is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152383022"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152393" version="601">
<metadata>
<title>RHSA-2015:2393: wireshark security, bug fix, and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2393-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2393.html" source="RHSA"/>
<reference ref_id="CVE-2014-8710" ref_url="https://access.redhat.com/security/cve/CVE-2014-8710" source="CVE"/>
<reference ref_id="CVE-2014-8711" ref_url="https://access.redhat.com/security/cve/CVE-2014-8711" source="CVE"/>
<reference ref_id="CVE-2014-8712" ref_url="https://access.redhat.com/security/cve/CVE-2014-8712" source="CVE"/>
<reference ref_id="CVE-2014-8713" ref_url="https://access.redhat.com/security/cve/CVE-2014-8713" source="CVE"/>
<reference ref_id="CVE-2014-8714" ref_url="https://access.redhat.com/security/cve/CVE-2014-8714" source="CVE"/>
<reference ref_id="CVE-2015-0562" ref_url="https://access.redhat.com/security/cve/CVE-2015-0562" source="CVE"/>
<reference ref_id="CVE-2015-0563" ref_url="https://access.redhat.com/security/cve/CVE-2015-0563" source="CVE"/>
<reference ref_id="CVE-2015-0564" ref_url="https://access.redhat.com/security/cve/CVE-2015-0564" source="CVE"/>
<reference ref_id="CVE-2015-2188" ref_url="https://access.redhat.com/security/cve/CVE-2015-2188" source="CVE"/>
<reference ref_id="CVE-2015-2189" ref_url="https://access.redhat.com/security/cve/CVE-2015-2189" source="CVE"/>
<reference ref_id="CVE-2015-2191" ref_url="https://access.redhat.com/security/cve/CVE-2015-2191" source="CVE"/>
<reference ref_id="CVE-2015-3182" ref_url="https://access.redhat.com/security/cve/CVE-2015-3182" source="CVE"/>
<reference ref_id="CVE-2015-3810" ref_url="https://access.redhat.com/security/cve/CVE-2015-3810" source="CVE"/>
<reference ref_id="CVE-2015-3811" ref_url="https://access.redhat.com/security/cve/CVE-2015-3811" source="CVE"/>
<reference ref_id="CVE-2015-3812" ref_url="https://access.redhat.com/security/cve/CVE-2015-3812" source="CVE"/>
<reference ref_id="CVE-2015-3813" ref_url="https://access.redhat.com/security/cve/CVE-2015-3813" source="CVE"/>
<reference ref_id="CVE-2015-6243" ref_url="https://access.redhat.com/security/cve/CVE-2015-6243" source="CVE"/>
<reference ref_id="CVE-2015-6244" ref_url="https://access.redhat.com/security/cve/CVE-2015-6244" source="CVE"/>
<reference ref_id="CVE-2015-6245" ref_url="https://access.redhat.com/security/cve/CVE-2015-6245" source="CVE"/>
<reference ref_id="CVE-2015-6246" ref_url="https://access.redhat.com/security/cve/CVE-2015-6246" source="CVE"/>
<reference ref_id="CVE-2015-6248" ref_url="https://access.redhat.com/security/cve/CVE-2015-6248" source="CVE"/>
<description>The wireshark packages contain a network protocol analyzer used to capture
and browse the traffic running on a computer network.
Several denial of service flaws were found in Wireshark. Wireshark could
crash or stop responding if it read a malformed packet off a network, or
opened a malicious dump file. (CVE-2015-2188, CVE-2015-2189, CVE-2015-2191,
CVE-2015-3810, CVE-2015-3811, CVE-2015-3812, CVE-2015-3813, CVE-2014-8710,
CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, CVE-2014-8714, CVE-2015-0562,
CVE-2015-0563, CVE-2015-0564, CVE-2015-3182, CVE-2015-6243, CVE-2015-6244,
CVE-2015-6245, CVE-2015-6246, CVE-2015-6248)
The CVE-2015-3182 issue was discovered by Martin Žember of Red Hat.
The wireshark packages have been upgraded to upstream version 1.10.14,
which provides a number of bug fixes and enhancements over the previous
version. (BZ#1238676)
This update also fixes the following bug:
* Prior to this update, when using the tshark utility to capture packets
over the interface, tshark failed to create output files in the .pcap
format even if it was specified using the "-F" option. This bug has been
fixed, the "-F" option is now honored, and the result saved in the .pcap
format as expected. (BZ#1227199)
In addition, this update adds the following enhancement:
* Previously, wireshark included only microseconds in the .pcapng format.
With this update, wireshark supports nanosecond time stamp precision to
allow for more accurate time stamps. (BZ#1213339)
All wireshark users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. All running instances of
Wireshark must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-01"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8710">CVE-2014-8710</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8711">CVE-2014-8711</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8712">CVE-2014-8712</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8713">CVE-2014-8713</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8714">CVE-2014-8714</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0562">CVE-2015-0562</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0563">CVE-2015-0563</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-0564">CVE-2015-0564</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2188">CVE-2015-2188</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2189">CVE-2015-2189</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2191">CVE-2015-2191</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3182">CVE-2015-3182</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3810">CVE-2015-3810</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3811">CVE-2015-3811</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3812">CVE-2015-3812</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3813">CVE-2015-3813</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6243">CVE-2015-6243</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6244">CVE-2015-6244</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6245">CVE-2015-6245</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6246">CVE-2015-6246</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-6248">CVE-2015-6248</cve>
<bugzilla href="https://bugzilla.redhat.com/1163581" id="1163581">CVE-2014-8714 wireshark: TN5250 infinite loop (wnpa-sec-2014-23)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163582" id="1163582">CVE-2014-8712 CVE-2014-8713 wireshark: NCP dissector crashes (wnpa-sec-2014-22)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163583" id="1163583">CVE-2014-8711 wireshark: AMQP dissector crash (wnpa-sec-2014-21)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1163584" id="1163584">CVE-2014-8710 wireshark: SigComp dissector crash (wnpa-sec-2014-20)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180182" id="1180182">CVE-2015-0562 wireshark: DEC DNA Routing Protocol dissector crash (wnpa-sec-2015-03)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180195" id="1180195">CVE-2015-0563 wireshark: SMTP dissector crash (wnpa-sec-2015-04)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180197" id="1180197">CVE-2015-0564 wireshark: TLS/SSL decryption crash (wnpa-sec-2015-05)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199163" id="1199163">CVE-2015-2188 wireshark: The WCP dissector could crash while decompressing data (wnpa-sec-2015-07)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199165" id="1199165">CVE-2015-2189 wireshark: The pcapng file parser could crash (wnpa-sec-2015-08)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1199167" id="1199167">CVE-2015-2191 wireshark: The TNEF dissector could go into an infinite loop on 32-bit architectures (wnpa-sec-2015-10)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1219409" id="1219409">CVE-2015-3182 wireshark: crash on sample file genbroad.snoop</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222434" id="1222434">CVE-2015-3810 wireshark: WebSocket DoS (wnpa-sec-2015-13)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222436" id="1222436">CVE-2015-3811 wireshark: WCP dissector crash (wnpa-sec-2015-14)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222437" id="1222437">CVE-2015-3812 wireshark: X11 memory leak (wnpa-sec-2015-15)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1222438" id="1222438">CVE-2015-3813 wireshark: Reassembly memory leak (wnpa-sec-2015-16)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253354" id="1253354">CVE-2015-6243 wireshark: Dissector table crash (wnpa-sec-2015-23)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253355" id="1253355">CVE-2015-6244 wireshark: ZigBee dissector crash (wnpa-sec-2015-24)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253356" id="1253356">CVE-2015-6245 wireshark: GSM RLC/MAC dissector infinite loop (wnpa-sec-2015-25)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253357" id="1253357">CVE-2015-6246 wireshark: WaveAgent dissector crash (wnpa-sec-2015-26)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1253360" id="1253360">CVE-2015-6248 wireshark: Ptvcursor crash (wnpa-sec-2015-28)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1267959" id="1267959">wireshark segfaults</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="wireshark is earlier than 0:1.10.14-7.el7" test_ref="oval:com.redhat.rhsa:tst:20152393009"/>
<criterion comment="wireshark is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676006"/>
</criteria>
<criteria operator="AND">
<criterion comment="wireshark-devel is earlier than 0:1.10.14-7.el7" test_ref="oval:com.redhat.rhsa:tst:20152393005"/>
<criterion comment="wireshark-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676008"/>
</criteria>
<criteria operator="AND">
<criterion comment="wireshark-gnome is earlier than 0:1.10.14-7.el7" test_ref="oval:com.redhat.rhsa:tst:20152393007"/>
<criterion comment="wireshark-gnome is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141676010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152401" version="601">
<metadata>
<title>RHSA-2015:2401: grub2 security, bug fix, and enhancement update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2401-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2401.html" source="RHSA"/>
<reference ref_id="CVE-2015-5281" ref_url="https://access.redhat.com/security/cve/CVE-2015-5281" source="CVE"/>
<description>The grub2 packages provide version 2 of the Grand Unified Bootloader
(GRUB), a highly configurable and customizable bootloader with modular
architecture. The packages support a variety of kernel formats, file
systems, computer architectures, and hardware devices.
It was discovered that grub2 builds for EFI systems contained modules that
were not suitable to be loaded in a Secure Boot environment. An attacker
could use this flaw to circumvent the Secure Boot mechanisms and load
non-verified code. Attacks could use the boot menu if no password was set,
or the grub2 configuration file if the attacker has root privileges on the
system. (CVE-2015-5281)
This update also fixes the following bugs:
* In one of the earlier updates, GRUB2 was modified to escape forward slash
(/) characters in several different places. In one of these places, the
escaping was unnecessary and prevented certain types of kernel command-line
arguments from being passed to the kernel correctly. With this update,
GRUB2 no longer escapes the forward slash characters in the mentioned
place, and the kernel command-line arguments work as expected. (BZ#1125404)
* Previously, GRUB2 relied on a timing mechanism provided by legacy
hardware, but not by the Hyper-V Gen2 hypervisor, to calibrate its timer
loop. This prevented GRUB2 from operating correctly on Hyper-V Gen2.
This update modifies GRUB2 to use a different mechanism on Hyper-V Gen2 to
calibrate the timing. As a result, Hyper-V Gen2 hypervisors now work as
expected. (BZ#1150698)
* Prior to this update, users who manually configured GRUB2 to use the
built-in GNU Privacy Guard (GPG) verification observed the following error
on boot:
alloc magic is broken at [addr]: [value] Aborted.
Consequently, the boot failed. The GRUB2 built-in GPG verification has been
modified to no longer free the same memory twice. As a result, the
mentioned error no longer occurs. (BZ#1167977)
* Previously, the system sometimes did not recover after terminating
unexpectedly and failed to reboot. To fix this problem, the GRUB2 packages
now enforce file synchronization when creating the GRUB2 configuration
file, which ensures that the required configuration files are written to
disk. As a result, the system now reboots successfully after crashing.
(BZ#1212114)
* Previously, if an unconfigured network driver instance was selected and
configured when the GRUB2 bootloader was loaded on a different instance,
GRUB2 did not receive notifications of the Address Resolution Protocol
(ARP) replies. Consequently, GRUB2 failed with the following error message:
error: timeout: could not resolve hardware address.
With this update, GRUB2 selects the network driver instance from which it
was loaded. As a result, ARP packets are processed correctly. (BZ#1257475)
In addition, this update adds the following enhancement:
* Sorting of GRUB2 boot menu has been improved. GRUB2 now uses the
rpmdevtools package to sort available kernels and the configuration file is
being generated correctly with the most recent kernel version listed at the
top. (BZ#1124074)
All grub2 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add this
enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-02"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5281">CVE-2015-5281</cve>
<bugzilla href="https://bugzilla.redhat.com/1001279" id="1001279">grub2 can't boot new xfs CRC-capable disk format</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1124074" id="1124074">grub2-mkconfig wrong sorting</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1125404" id="1125404">[RHEL 7] grub2 improperly escapes spaces in kernel parameters</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1148650" id="1148650">no docs explaining what config path GRUB expects when netbooting</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1177003" id="1177003">yum reinstall kernel causes duplicate entry in grub menu</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211101" id="1211101">grub2 fw_path variable is incorrect for x86 EFI network boot: too many path components stripped</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1264103" id="1264103">CVE-2015-5281 grub2: modules built in on EFI builds that allow loading arbitrary code, circumventing secure boot</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="grub2 is earlier than 1:2.02-0.29.el7" test_ref="oval:com.redhat.rhsa:tst:20152401005"/>
<criterion comment="grub2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401006"/>
</criteria>
<criteria operator="AND">
<criterion comment="grub2-efi is earlier than 1:2.02-0.29.el7" test_ref="oval:com.redhat.rhsa:tst:20152401011"/>
<criterion comment="grub2-efi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401012"/>
</criteria>
<criteria operator="AND">
<criterion comment="grub2-efi-modules is earlier than 1:2.02-0.29.el7" test_ref="oval:com.redhat.rhsa:tst:20152401009"/>
<criterion comment="grub2-efi-modules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401010"/>
</criteria>
<criteria operator="AND">
<criterion comment="grub2-tools is earlier than 1:2.02-0.29.el7" test_ref="oval:com.redhat.rhsa:tst:20152401007"/>
<criterion comment="grub2-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152411" version="601">
<metadata>
<title>RHSA-2015:2411: kernel-rt security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2411-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2411.html" source="RHSA"/>
<reference ref_id="CVE-2013-7421" ref_url="https://access.redhat.com/security/cve/CVE-2013-7421" source="CVE"/>
<reference ref_id="CVE-2014-8171" ref_url="https://access.redhat.com/security/cve/CVE-2014-8171" source="CVE"/>
<reference ref_id="CVE-2014-9419" ref_url="https://access.redhat.com/security/cve/CVE-2014-9419" source="CVE"/>
<reference ref_id="CVE-2014-9644" ref_url="https://access.redhat.com/security/cve/CVE-2014-9644" source="CVE"/>
<reference ref_id="CVE-2015-2925" ref_url="https://access.redhat.com/security/cve/CVE-2015-2925" source="CVE"/>
<reference ref_id="CVE-2015-3339" ref_url="https://access.redhat.com/security/cve/CVE-2015-3339" source="CVE"/>
<reference ref_id="CVE-2015-4170" ref_url="https://access.redhat.com/security/cve/CVE-2015-4170" source="CVE"/>
<reference ref_id="CVE-2015-5283" ref_url="https://access.redhat.com/security/cve/CVE-2015-5283" source="CVE"/>
<reference ref_id="CVE-2015-7613" ref_url="https://access.redhat.com/security/cve/CVE-2015-7613" source="CVE"/>
<reference ref_id="CVE-2015-7837" ref_url="https://access.redhat.com/security/cve/CVE-2015-7837" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* A flaw was found in the way the Linux kernel's file system implementation
handled rename operations in which the source was inside and the
destination was outside of a bind mount. A privileged user inside a
container could use this flaw to escape the bind mount and, potentially,
escalate their privileges on the system. (CVE-2015-2925, Important)
* A race condition flaw was found in the way the Linux kernel's IPC
subsystem initialized certain fields in an IPC object structure that were
later used for permission checking before inserting the object into a
globally visible list. A local, unprivileged user could potentially use
this flaw to elevate their privileges on the system. (CVE-2015-7613,
Important)
* It was found that the Linux kernel memory resource controller's (memcg)
handling of OOM (out of memory) conditions could lead to deadlocks.
An attacker able to continuously spawn new processes within a single
memory-constrained cgroup during an OOM event could use this flaw to lock
up the system. (CVE-2014-8171, Moderate)
* A race condition flaw was found between the chown and execve system
calls. When changing the owner of a setuid user binary to root, the race
condition could momentarily make the binary setuid root. A local,
unprivileged user could potentially use this flaw to escalate their
privileges on the system. (CVE-2015-3339, Moderate)
* A flaw was discovered in the way the Linux kernel's TTY subsystem handled
the tty shutdown phase. A local, unprivileged user could use this flaw to
cause a denial of service on the system by holding a reference to the ldisc
lock during tty shutdown, causing a deadlock. (CVE-2015-4170, Moderate)
* A NULL pointer dereference flaw was found in the SCTP implementation.
A local user could use this flaw to cause a denial of service on the system
by triggering a kernel panic when creating multiple sockets in parallel
while the system did not have the SCTP module loaded. (CVE-2015-5283,
Moderate)
* A flaw was found in the way the Linux kernel's Crypto subsystem handled
automatic loading of kernel modules. A local user could use this flaw to
load any installed kernel module, and thus increase the attack surface of
the running kernel. (CVE-2013-7421, CVE-2014-9644, Low)
* An information leak flaw was found in the way the Linux kernel changed
certain segment registers and thread-local storage (TLS) during a context
switch. A local, unprivileged user could use this flaw to leak the user
space TLS base address of an arbitrary process. (CVE-2014-9419, Low)
* A flaw was found in the way the Linux kernel handled the securelevel
functionality after performing a kexec operation. A local attacker could
use this flaw to bypass the security mechanism of the
securelevel/secureboot combination. (CVE-2015-7837, Low)
Red Hat would like to thank Linn Crosetto of HP for reporting the
CVE-2015-7837 issue. The CVE-2015-5283 issue was discovered by Ji Jianwen
from Red Hat engineering.
The kernel-rt packages have been upgraded to version 3.10.0-326.rt56.204,
which provides a number of bug fixes and enhancements. (BZ#1201915,
BZ#1211724)
This update also fixes several bugs and adds multiple enhancements.
Refer to the following Red Hat Knowledgebase article for information on the
most significant of these changes:
https://access.redhat.com/articles/2055783
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-06"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2013-7421">CVE-2013-7421</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8171">CVE-2014-8171</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9419">CVE-2014-9419</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2014-9644">CVE-2014-9644</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-2925">CVE-2015-2925</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3339">CVE-2015-3339</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4170">CVE-2015-4170</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5283">CVE-2015-5283</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7613">CVE-2015-7613</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7837">CVE-2015-7837</cve>
<bugzilla href="https://bugzilla.redhat.com/1177260" id="1177260">CVE-2014-9419 kernel: partial ASLR bypass through TLS base addresses leak</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1185469" id="1185469">CVE-2013-7421 Linux kernel: crypto api unprivileged arbitrary module load via request_module()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1190546" id="1190546">CVE-2014-9644 Linux kernel: crypto api unprivileged arbitrary module load via request_module()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1198109" id="1198109">CVE-2014-8171 kernel: memcg: OOM handling DoS</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209190" id="1209190">kernel-rt: rebase tree to match RHEL7.1.z source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1209367" id="1209367">CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1211724" id="1211724">kernel-rt: rebase to the RHEL7.1.z batch3 source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1214030" id="1214030">CVE-2015-3339 kernel: race condition between chown() and execve()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218879" id="1218879">CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1230391" id="1230391">kernel-rt: update to the RHEL7.1.z batch 4 source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1230395" id="1230395">kernel-rt: update to the RHEL7.1.z batch 5 source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1257528" id="1257528">CVE-2015-5283 kernel: Creating multiple sockets when SCTP module isn't loaded leads to kernel panic</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1265251" id="1265251">kernel-rt: update to the RHEL7.1.z batch 6 source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1268270" id="1268270">CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272472" id="1272472">CVE-2015-7837 kernel: securelevel disabled after kexec</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411021"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411015"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411019"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-kvm is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411007"/>
<criterion comment="kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411011"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-kvm is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411023"/>
<criterion comment="kernel-rt-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411017"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411009"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-kvm is earlier than 0:3.10.0-327.rt56.204.el7" test_ref="oval:com.redhat.rhsa:tst:20152411013"/>
<criterion comment="kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152417" version="601">
<metadata>
<title>RHSA-2015:2417: autofs security, bug fix and enhancement update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2417-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2417.html" source="RHSA"/>
<reference ref_id="CVE-2014-8169" ref_url="https://access.redhat.com/security/cve/CVE-2014-8169" source="CVE"/>
<description>The autofs utility controls the operation of the automount daemon. The
daemon automatically mounts file systems when in use and unmounts them when
they are not busy.
It was found that program-based automounter maps that used interpreted
languages such as Python used standard environment variables to locate
and load modules of those languages. A local attacker could potentially use
this flaw to escalate their privileges on the system. (CVE-2014-8169)
Note: This issue has been fixed by adding the "AUTOFS_" prefix to the
affected environment variables so that they are not used to subvert the
system. A configuration option ("force_standard_program_map_env") to
override this prefix and to use the environment variables without the
prefix has been added. In addition, warnings have been added to the manual
page and to the installed configuration file. Now, by default the standard
variables of the program map are provided only with the prefix added to
its name.
Red Hat would like to thank the Georgia Institute of Technology for
reporting this issue.
Notably, this update fixes the following bugs:
* When the "ls *" command was run in the root of an indirect mount, autofs
attempted to literally mount the wildcard character (*) causing it to be
added to the negative cache. If done before a valid mount, autofs then
failed on further mount attempts inside the mount point, valid or not. This
has been fixed, and wildcard map entries now function in the described
situation. (BZ#1166457)
* When autofs encountered a syntax error consisting of a duplicate entry in
a multimap entry, it reported an error and did not mount the map entry.
With this update, autofs has been amended to report the problem in the log
to alert the system administrator and use the last seen instance of the
duplicate entry rather than fail. (BZ#1205600)
* In the ldap and sss lookup modules, the map reading functions did not
distinguish between the "no entry found" and "service not available"
errors. Consequently, when the "service not available" response was
returned from a master map read, autofs did not update the mounts.
An "entry not found" return does not prevent the map update, so the ldap
and sss lookup modules were updated to distinguish between these two
returns and now work as expected. (BZ#1233065)
In addition, this update adds the following enhancement:
* The description of the configuration parameter map_hash_table_size was
missing from the autofs.conf(5) man page and its description in the
configuration file comments was insufficient. A description of the
parameter has been added to autofs.conf(5), and the configuration file
comments have been updated. (BZ#1238573)
All autofs users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add this
enhancement.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-07-07"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8169">CVE-2014-8169</cve>
<bugzilla href="https://bugzilla.redhat.com/1161474" id="1161474">automount segment fault in parse_sun.so for negative parser tests</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1166457" id="1166457">Autofs unable to mount indirect after attempt to mount wildcard</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1192565" id="1192565">CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1201582" id="1201582">autofs: MAPFMT_DEFAULT is not macro in lookup_program.c</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1218045" id="1218045">Similar but unrelated NFS exports block proper mounting of "parent" mount point</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1233067" id="1233067">autofs is performing excessive direct mount map re-reads</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1233069" id="1233069">Direct map does not expire if map is initially empty</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1263508" id="1263508">Heavy program map usage can lead to a hang</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="autofs is earlier than 1:5.0.7-54.el7" test_ref="oval:com.redhat.rhsa:tst:20152417005"/>
<criterion comment="autofs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152417006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152455" version="601">
<metadata>
<title>RHSA-2015:2455: unbound security and bug fix update (Low)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2455-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2455.html" source="RHSA"/>
<reference ref_id="CVE-2014-8602" ref_url="https://access.redhat.com/security/cve/CVE-2014-8602" source="CVE"/>
<description>The unbound packages provide a validating, recursive, and caching DNS or
DNSSEC resolver.
A denial of service flaw was found in unbound that an attacker could use to
trick the unbound resolver into following an endless loop of delegations,
consuming an excessive amount of resources. (CVE-2014-8602)
This update also fixes the following bugs:
* Prior to this update, there was a mistake in the time configuration in
the cron job invoking unbound-anchor to update the root zone key.
Consequently, unbound-anchor was invoked once a month instead of every day,
thus not complying with RFC 5011. The cron job has been replaced with a
systemd timer unit that is invoked on a daily basis. Now, the root zone key
validity is checked daily at a random time within a 24-hour window, and
compliance with RFC 5011 is ensured. (BZ#1180267)
* Previously, the unbound packages were installing their configuration file
for the systemd-tmpfiles utility into the /etc/tmpfiles.d/ directory. As a
consequence, changes to unbound made by the administrator in
/etc/tmpfiles.d/ could be overwritten on package reinstallation or update.
To fix this bug, unbound has been amended to install the configuration file
into the /usr/lib/tmpfiles.d/ directory. As a result, the system
administrator's configuration in /etc/tmpfiles.d/ is preserved, including
any changes, on package reinstallation or update. (BZ#1180995)
* The unbound server default configuration included validation of DNS
records using the DNSSEC Look-aside Validation (DLV) registry. The Internet
Systems Consortium (ISC) plans to deprecate the DLV registry service as no
longer needed, and unbound could execute unnecessary steps. Therefore, the
use of the DLV registry has been removed from the unbound server default
configuration. Now, unbound does not try to perform DNS records validation
using the DLV registry. (BZ#1223339)
All unbound users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-08-14"/>
<updated date="2015-11-19"/>
<cve href="https://access.redhat.com/security/cve/CVE-2014-8602">CVE-2014-8602</cve>
<bugzilla href="https://bugzilla.redhat.com/1172065" id="1172065">CVE-2014-8602 unbound: specially crafted request can lead to denial of service</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180267" id="1180267">root key management does not comply with RFC5011</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1180995" id="1180995">unbound is installing files under /etc/tmpfiles.d/</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="unbound is earlier than 0:1.4.20-26.el7" test_ref="oval:com.redhat.rhsa:tst:20152455007"/>
<criterion comment="unbound is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152455008"/>
</criteria>
<criteria operator="AND">
<criterion comment="unbound-devel is earlier than 0:1.4.20-26.el7" test_ref="oval:com.redhat.rhsa:tst:20152455005"/>
<criterion comment="unbound-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152455006"/>
</criteria>
<criteria operator="AND">
<criterion comment="unbound-libs is earlier than 0:1.4.20-26.el7" test_ref="oval:com.redhat.rhsa:tst:20152455011"/>
<criterion comment="unbound-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152455012"/>
</criteria>
<criteria operator="AND">
<criterion comment="unbound-python is earlier than 0:1.4.20-26.el7" test_ref="oval:com.redhat.rhsa:tst:20152455009"/>
<criterion comment="unbound-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152455010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152505" version="601">
<metadata>
<title>RHSA-2015:2505: abrt and libreport security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2505-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2505.html" source="RHSA"/>
<reference ref_id="CVE-2015-5273" ref_url="https://access.redhat.com/security/cve/CVE-2015-5273" source="CVE"/>
<reference ref_id="CVE-2015-5287" ref_url="https://access.redhat.com/security/cve/CVE-2015-5287" source="CVE"/>
<reference ref_id="CVE-2015-5302" ref_url="https://access.redhat.com/security/cve/CVE-2015-5302" source="CVE"/>
<description>ABRT (Automatic Bug Reporting Tool) is a tool to help users to detect
defects in applications and to create a bug report with all the information
needed by a maintainer to fix it. It uses a plug-in system to extend its
functionality. libreport provides an API for reporting different problems
in applications to different bug targets, such as Bugzilla, FTP, and Trac.
It was found that the ABRT debug information installer
(abrt-action-install-debuginfo-to-abrt-cache) did not use temporary
directories in a secure way. A local attacker could use the flaw to create
symbolic links and files at arbitrary locations as the abrt user.
(CVE-2015-5273)
It was discovered that the kernel-invoked coredump processor provided by
ABRT did not handle symbolic links correctly when writing core dumps of
ABRT programs to the ABRT dump directory (/var/spool/abrt). A local
attacker with write access to an ABRT problem directory could use this flaw
to escalate their privileges. (CVE-2015-5287)
It was found that ABRT may have exposed unintended information to Red Hat
Bugzilla during crash reporting. A bug in the libreport library caused
changes made by a user in files included in a crash report to be discarded.
As a result, Red Hat Bugzilla attachments may contain data that was not
intended to be made public, including host names, IP addresses, or command
line options. (CVE-2015-5302)
This flaw did not affect default installations of ABRT on Red Hat
Enterprise Linux as they do not post data to Red Hat Bugzilla. This feature
can however be enabled, potentially impacting modified ABRT instances.
As a precaution, Red Hat has identified bugs filed by such non-default Red
Hat Enterprise Linux users of ABRT and marked them private.
Red Hat would like to thank Philip Pettersson of Samsung for reporting the
CVE-2015-5273 and CVE-2015-5287 issues. The CVE-2015-5302 issue was
discovered by Bastien Nocera of Red Hat.
All users of abrt and libreport are advised to upgrade to these updated
packages, which contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-23"/>
<updated date="2015-11-23"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5273">CVE-2015-5273</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5287">CVE-2015-5287</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5302">CVE-2015-5302</cve>
<bugzilla href="https://bugzilla.redhat.com/1262252" id="1262252">CVE-2015-5273 abrt: Insecure temporary directory usage in abrt-action-install-debuginfo-to-abrt-cache</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1266837" id="1266837">CVE-2015-5287 abrt: incorrect permissions on /var/spool/abrt</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1270903" id="1270903">CVE-2015-5302 libreport: Possible private data leak in Bugzilla bugs opened by ABRT</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="abrt is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505019"/>
<criterion comment="abrt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083026"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-ccpp is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505031"/>
<criterion comment="abrt-addon-ccpp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083042"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-kerneloops is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505025"/>
<criterion comment="abrt-addon-kerneloops is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083006"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-pstoreoops is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505041"/>
<criterion comment="abrt-addon-pstoreoops is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083022"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-python is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505009"/>
<criterion comment="abrt-addon-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083030"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-upload-watch is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505033"/>
<criterion comment="abrt-addon-upload-watch is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083044"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-vmcore is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505029"/>
<criterion comment="abrt-addon-vmcore is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083018"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-addon-xorg is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505039"/>
<criterion comment="abrt-addon-xorg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083016"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-cli is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505027"/>
<criterion comment="abrt-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083032"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-console-notification is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505005"/>
<criterion comment="abrt-console-notification is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083012"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-dbus is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505013"/>
<criterion comment="abrt-dbus is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083038"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-desktop is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505011"/>
<criterion comment="abrt-desktop is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083024"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-devel is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505043"/>
<criterion comment="abrt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083010"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-gui is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505015"/>
<criterion comment="abrt-gui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083020"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-gui-devel is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505023"/>
<criterion comment="abrt-gui-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083014"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-gui-libs is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505037"/>
<criterion comment="abrt-gui-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083028"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-libs is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505017"/>
<criterion comment="abrt-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083008"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-python is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505021"/>
<criterion comment="abrt-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083034"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-python-doc is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505045"/>
<criterion comment="abrt-python-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083046"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-retrace-client is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505007"/>
<criterion comment="abrt-retrace-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083036"/>
</criteria>
<criteria operator="AND">
<criterion comment="abrt-tui is earlier than 0:2.1.11-35.el7" test_ref="oval:com.redhat.rhsa:tst:20152505035"/>
<criterion comment="abrt-tui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083040"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505083"/>
<criterion comment="libreport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083068"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-anaconda is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505073"/>
<criterion comment="libreport-anaconda is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083088"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-cli is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505051"/>
<criterion comment="libreport-cli is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083074"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-compat is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505057"/>
<criterion comment="libreport-compat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083086"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-devel is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505065"/>
<criterion comment="libreport-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083058"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-filesystem is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505079"/>
<criterion comment="libreport-filesystem is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083072"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-gtk is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505075"/>
<criterion comment="libreport-gtk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083054"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-gtk-devel is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505047"/>
<criterion comment="libreport-gtk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083076"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-newt is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505055"/>
<criterion comment="libreport-newt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083066"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-bugzilla is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505071"/>
<criterion comment="libreport-plugin-bugzilla is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083070"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-kerneloops is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505089"/>
<criterion comment="libreport-plugin-kerneloops is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083078"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-logger is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505069"/>
<criterion comment="libreport-plugin-logger is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083056"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-mailx is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505053"/>
<criterion comment="libreport-plugin-mailx is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083060"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-reportuploader is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505087"/>
<criterion comment="libreport-plugin-reportuploader is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083062"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-rhtsupport is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505063"/>
<criterion comment="libreport-plugin-rhtsupport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083080"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-plugin-ureport is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505085"/>
<criterion comment="libreport-plugin-ureport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083048"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-python is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505061"/>
<criterion comment="libreport-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083064"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-rhel is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505059"/>
<criterion comment="libreport-rhel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083090"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-rhel-anaconda-bugzilla is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505081"/>
<criterion comment="libreport-rhel-anaconda-bugzilla is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083050"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-rhel-bugzilla is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505049"/>
<criterion comment="libreport-rhel-bugzilla is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083052"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-web is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505077"/>
<criterion comment="libreport-web is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083082"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreport-web-devel is earlier than 0:2.1.11-31.el7" test_ref="oval:com.redhat.rhsa:tst:20152505067"/>
<criterion comment="libreport-web-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151083084"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152519" version="601">
<metadata>
<title>RHSA-2015:2519: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2519-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2519.html" source="RHSA"/>
<reference ref_id="CVE-2015-4513" ref_url="https://access.redhat.com/security/cve/CVE-2015-4513" source="CVE"/>
<reference ref_id="CVE-2015-7189" ref_url="https://access.redhat.com/security/cve/CVE-2015-7189" source="CVE"/>
<reference ref_id="CVE-2015-7193" ref_url="https://access.redhat.com/security/cve/CVE-2015-7193" source="CVE"/>
<reference ref_id="CVE-2015-7197" ref_url="https://access.redhat.com/security/cve/CVE-2015-7197" source="CVE"/>
<reference ref_id="CVE-2015-7198" ref_url="https://access.redhat.com/security/cve/CVE-2015-7198" source="CVE"/>
<reference ref_id="CVE-2015-7199" ref_url="https://access.redhat.com/security/cve/CVE-2015-7199" source="CVE"/>
<reference ref_id="CVE-2015-7200" ref_url="https://access.redhat.com/security/cve/CVE-2015-7200" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-4513, CVE-2015-7189, CVE-2015-7197, CVE-2015-7198,
CVE-2015-7199, CVE-2015-7200)
A same-origin policy bypass flaw was found in the way Thunderbird handled
certain cross-origin resource sharing (CORS) requests. A web page
containing malicious content could cause Thunderbird to disclose sensitive
information. (CVE-2015-7193)
Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message because JavaScript is disabled by default for mail
messages. However, they could be exploited in other ways in Thunderbird
(for example, by viewing the full remote content of an RSS feed).
Red Hat would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Christian Holler, David Major, Jesse Ruderman, Tyson
Smith, Boris Zbarsky, Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff
Walden, Gary Kwong, Looben Yang, Shinto K Anto, Ronald Crane, and Ehsan
Akhgari as the original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.4.0. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.4.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-26"/>
<updated date="2015-11-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4513">CVE-2015-4513</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7189">CVE-2015-7189</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7193">CVE-2015-7193</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7197">CVE-2015-7197</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7198">CVE-2015-7198</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7199">CVE-2015-7199</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7200">CVE-2015-7200</cve>
<bugzilla href="https://bugzilla.redhat.com/1277332" id="1277332">CVE-2015-4513 Mozilla: Miscellaneous memory safety hazards (rv:38.4) (MFSA 2015-116)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277344" id="1277344">CVE-2015-7189 Mozilla: Buffer overflow during image interactions in canvas (MFSA 2015-123)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277346" id="1277346">CVE-2015-7193 Mozilla: CORS preflight is bypassed when non-standard Content-Type headers are received (MFSA 2015-127)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277350" id="1277350">CVE-2015-7198 CVE-2015-7199 CVE-2015-7200 Mozilla: Vulnerabilities found through code inspection (MFSA 2015-131)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1277351" id="1277351">CVE-2015-7197 Mozilla: Mixed content WebSocket policy bypass through workers (MFSA 2015-132)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:38.4.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152519002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.4.0-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152519008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.4.0-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152519014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152522" version="601">
<metadata>
<title>RHSA-2015:2522: apache-commons-collections security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2522-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2522.html" source="RHSA"/>
<reference ref_id="CVE-2015-7501" ref_url="https://access.redhat.com/security/cve/CVE-2015-7501" source="CVE"/>
<description>The Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of apache-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-11-30"/>
<updated date="2015-11-30"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7501">CVE-2015-7501</cve>
<bugzilla href="https://bugzilla.redhat.com/1279330" id="1279330">CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="apache-commons-collections is earlier than 0:3.2.1-22.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152522007"/>
<criterion comment="apache-commons-collections is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152522008"/>
</criteria>
<criteria operator="AND">
<criterion comment="apache-commons-collections-javadoc is earlier than 0:3.2.1-22.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152522011"/>
<criterion comment="apache-commons-collections-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152522012"/>
</criteria>
<criteria operator="AND">
<criterion comment="apache-commons-collections-testframework is earlier than 0:3.2.1-22.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152522005"/>
<criterion comment="apache-commons-collections-testframework is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152522006"/>
</criteria>
<criteria operator="AND">
<criterion comment="apache-commons-collections-testframework-javadoc is earlier than 0:3.2.1-22.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152522009"/>
<criterion comment="apache-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152522010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152550" version="602">
<metadata>
<title>RHSA-2015:2550: libxml2 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2550-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2550.html" source="RHSA"/>
<reference ref_id="CVE-2015-1819" ref_url="https://access.redhat.com/security/cve/CVE-2015-1819" source="CVE"/>
<reference ref_id="CVE-2015-5312" ref_url="https://access.redhat.com/security/cve/CVE-2015-5312" source="CVE"/>
<reference ref_id="CVE-2015-7497" ref_url="https://access.redhat.com/security/cve/CVE-2015-7497" source="CVE"/>
<reference ref_id="CVE-2015-7498" ref_url="https://access.redhat.com/security/cve/CVE-2015-7498" source="CVE"/>
<reference ref_id="CVE-2015-7499" ref_url="https://access.redhat.com/security/cve/CVE-2015-7499" source="CVE"/>
<reference ref_id="CVE-2015-7500" ref_url="https://access.redhat.com/security/cve/CVE-2015-7500" source="CVE"/>
<reference ref_id="CVE-2015-7941" ref_url="https://access.redhat.com/security/cve/CVE-2015-7941" source="CVE"/>
<reference ref_id="CVE-2015-7942" ref_url="https://access.redhat.com/security/cve/CVE-2015-7942" source="CVE"/>
<reference ref_id="CVE-2015-8241" ref_url="https://access.redhat.com/security/cve/CVE-2015-8241" source="CVE"/>
<reference ref_id="CVE-2015-8242" ref_url="https://access.redhat.com/security/cve/CVE-2015-8242" source="CVE"/>
<reference ref_id="CVE-2015-8317" ref_url="https://access.redhat.com/security/cve/CVE-2015-8317" source="CVE"/>
<reference ref_id="CVE-2015-8710" ref_url="https://access.redhat.com/security/cve/CVE-2015-8710" source="CVE"/>
<description>The libxml2 library is a development toolbox providing the implementation
of various XML standards.
Several denial of service flaws were found in libxml2, a library providing
support for reading, modifying, and writing XML and HTML files. A remote
attacker could provide a specially crafted XML or HTML file that, when
processed by an application using libxml2, would cause that application to
use an excessive amount of CPU, leak potentially sensitive information, or
in certain cases crash the application. (CVE-2015-1819, CVE-2015-5312,
CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500 CVE-2015-7941,
CVE-2015-7942, CVE-2015-8241, CVE-2015-8242, CVE-2015-8317, BZ#1213957,
BZ#1281955)
Red Hat would like to thank the GNOME project for reporting CVE-2015-7497,
CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242,
and CVE-2015-8317. Upstream acknowledges Kostya Serebryany of Google as the
original reporter of CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, and
CVE-2015-7500; Hugh Davenport as the original reporter of CVE-2015-8241 and
CVE-2015-8242; and Hanno Boeck as the original reporter of CVE-2015-8317.
The CVE-2015-1819 issue was discovered by Florian Weimer of Red Hat
Product Security.
All libxml2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct these issues. The desktop must be
restarted (log out, then log back in) for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-07"/>
<updated date="2015-12-07"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-1819">CVE-2015-1819</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5312">CVE-2015-5312</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7497">CVE-2015-7497</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7498">CVE-2015-7498</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7499">CVE-2015-7499</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7500">CVE-2015-7500</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7941">CVE-2015-7941</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7942">CVE-2015-7942</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8241">CVE-2015-8241</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8242">CVE-2015-8242</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8317">CVE-2015-8317</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8710">CVE-2015-8710</cve>
<bugzilla href="https://bugzilla.redhat.com/1211278" id="1211278">CVE-2015-1819 libxml2: denial of service processing a crafted XML document</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1213957" id="1213957">CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1274222" id="1274222">CVE-2015-7941 libxml2: Out-of-bounds memory access</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1276297" id="1276297">CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1276693" id="1276693">CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281862" id="1281862">CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281879" id="1281879">CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281925" id="1281925">CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281930" id="1281930">CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281936" id="1281936">CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281943" id="1281943">CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281950" id="1281950">CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281955" id="1281955">libxml2: Multiple out-of-bounds reads in xmlDictComputeFastKey.isra.2 and xmlDictAddString.isra.O</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libxml2 is earlier than 0:2.9.1-6.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20152550011"/>
<criterion comment="libxml2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-devel is earlier than 0:2.9.1-6.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20152550005"/>
<criterion comment="libxml2-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-python is earlier than 0:2.9.1-6.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20152550009"/>
<criterion comment="libxml2-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655012"/>
</criteria>
<criteria operator="AND">
<criterion comment="libxml2-static is earlier than 0:2.9.1-6.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20152550007"/>
<criterion comment="libxml2-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141655010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152552" version="601">
<metadata>
<title>RHSA-2015:2552: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2552-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2552.html" source="RHSA"/>
<reference ref_id="CVE-2015-5307" ref_url="https://access.redhat.com/security/cve/CVE-2015-5307" source="CVE"/>
<reference ref_id="CVE-2015-8104" ref_url="https://access.redhat.com/security/cve/CVE-2015-8104" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the x86 ISA (Instruction Set Architecture) is prone to
a denial of service attack inside a virtualized environment in the form of
an infinite loop in the microcode due to the way (sequential) delivering of
benign exceptions such as #AC (alignment check exception) and #DB (debug
exception) is handled. A privileged user inside a guest could use these
flaws to create denial of service conditions on the host kernel.
(CVE-2015-5307, CVE-2015-8104, Important)
Red Hat would like to thank Ben Serebrin of Google Inc. for reporting the
CVE-2015-5307 issue.
This update also fixes the following bugs:
* On Intel Xeon v5 platforms, the processor frequency was always tied to
the highest possible frequency. Switching p-states on these client
platforms failed. This update sets the idle frequency, busy frequency, and
processor frequency values by determining the range and adjusting the
minimal and maximal percent limit values. Now, switching p-states on the
aforementioned client platforms proceeds successfully. (BZ#1273926)
* Due to a validation error of in-kernel memory-mapped I/O (MMIO) tracing,
a VM became previously unresponsive when connected to Red Hat Enterprise
Virtualization Hypervisor. The provided patch fixes this bug by dropping
the check in MMIO handler, and a VM continues running as expected.
(BZ#1275150)
* Due to retry-able command errors, the NVMe driver previously leaked I/O
descriptors and DMA mappings. As a consequence, the kernel could become
unresponsive during the hot-unplug operation if a driver was removed.
This update fixes the driver memory leak bug on command retries, and the
kernel no longer hangs in this situation. (BZ#1279792)
* The hybrid_dma_data() function was not initialized before use, which
caused an invalid memory access when hot-plugging a PCI card. As a
consequence, a kernel oops occurred. The provided patch makes sure
hybrid_dma_data() is initialized before use, and the kernel oops no longer
occurs in this situation. (BZ#1279793)
* When running PowerPC (PPC) KVM guests and the host was experiencing a lot
of page faults, for example because it was running low on memory, the host
sometimes triggered an incorrect kind of interrupt in the guest: a data
storage exception instead of a data segment exception. This caused a kernel
panic of the PPC KVM guest. With this update, the host kernel synthesizes a
segment fault if the corresponding Segment Lookaside Buffer (SLB) lookup
fails, which prevents the kernel panic from occurring. (BZ#1281423)
* The kernel accessed an incorrect area of the khugepaged process causing
Logical Partitioning (LPAR) to become unresponsive, and an oops occurred in
medlp5. The backported upstream patch prevents an LPAR hang, and the oops
no longer occurs. (BZ#1281424)
* When the sctp module was loaded and a route to an association endpoint
was removed after receiving an Out-of-The-Blue (OOTB) chunk but before
incrementing the "dropped because of missing route" SNMP statistic, a Null
Pointer Dereference kernel panic previously occurred. This update fixes the
race condition between OOTB response and route removal. (BZ#1281426)
* The cpuscaling test of the certification test suite previously failed due
to a rounding bug in the intel-pstate driver. This bug has been fixed and
the cpuscaling test now passes. (BZ#1281491)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-08"/>
<updated date="2015-12-08"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5307">CVE-2015-5307</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8104">CVE-2015-8104</cve>
<bugzilla href="https://bugzilla.redhat.com/1277172" id="1277172">CVE-2015-5307 virt: guest to host DoS by triggering an infinite loop in microcode via #AC exception</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1278496" id="1278496">CVE-2015-8104 virt: guest to host DoS by triggering an infinite loop in microcode via #DB exception</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552009"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552005"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552031"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552011"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552025"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552015"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552007"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552013"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552021"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552017"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552027"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552033"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552029"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552019"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-327.3.1.el7" test_ref="oval:com.redhat.rhsa:tst:20152552023"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152561" version="602">
<metadata>
<title>RHSA-2015:2561: git security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2561-01" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2561.html" source="RHSA"/>
<reference ref_id="CVE-2015-7545" ref_url="https://access.redhat.com/security/cve/CVE-2015-7545" source="CVE"/>
<description>Git is a distributed revision control system with a decentralized
architecture. As opposed to centralized version control systems with a
client-server model, Git ensures that each working copy of a Git repository
is an exact copy with complete revision history. This not only allows the
user to work on and contribute to projects without the need to have
permission to push the changes to their official repositories, but also
makes it possible for the user to work with no network connection.
A flaw was found in the way the git-remote-ext helper processed certain
URLs. If a user had Git configured to automatically clone submodules from
untrusted repositories, an attacker could inject commands into the URL of a
submodule, allowing them to execute arbitrary code on the user's system.
(BZ#1269794)
All git users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-08"/>
<updated date="2015-12-08"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7545">CVE-2015-7545</cve>
<bugzilla href="https://bugzilla.redhat.com/1269794" id="1269794">CVE-2015-7545 git: arbitrary code execution via crafted URLs</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="emacs-git is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561027"/>
<criterion comment="emacs-git is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561028"/>
</criteria>
<criteria operator="AND">
<criterion comment="emacs-git-el is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561031"/>
<criterion comment="emacs-git-el is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561032"/>
</criteria>
<criteria operator="AND">
<criterion comment="git is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561005"/>
<criterion comment="git is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561006"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-all is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561011"/>
<criterion comment="git-all is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561012"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-bzr is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561019"/>
<criterion comment="git-bzr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561020"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-cvs is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561013"/>
<criterion comment="git-cvs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561014"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-daemon is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561007"/>
<criterion comment="git-daemon is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561008"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-email is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561015"/>
<criterion comment="git-email is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561016"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-gui is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561021"/>
<criterion comment="git-gui is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561022"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-hg is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561025"/>
<criterion comment="git-hg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561026"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-p4 is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561035"/>
<criterion comment="git-p4 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561036"/>
</criteria>
<criteria operator="AND">
<criterion comment="git-svn is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561009"/>
<criterion comment="git-svn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561010"/>
</criteria>
<criteria operator="AND">
<criterion comment="gitk is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561029"/>
<criterion comment="gitk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561030"/>
</criteria>
<criteria operator="AND">
<criterion comment="gitweb is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561023"/>
<criterion comment="gitweb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561024"/>
</criteria>
<criteria operator="AND">
<criterion comment="perl-Git is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561033"/>
<criterion comment="perl-Git is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561034"/>
</criteria>
<criteria operator="AND">
<criterion comment="perl-Git-SVN is earlier than 0:1.8.3.1-6.el7" test_ref="oval:com.redhat.rhsa:tst:20152561017"/>
<criterion comment="perl-Git-SVN is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152561018"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152595" version="601">
<metadata>
<title>RHSA-2015:2595: libpng12 security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2595-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2595.html" source="RHSA"/>
<reference ref_id="CVE-2015-7981" ref_url="https://access.redhat.com/security/cve/CVE-2015-7981" source="CVE"/>
<reference ref_id="CVE-2015-8126" ref_url="https://access.redhat.com/security/cve/CVE-2015-8126" source="CVE"/>
<reference ref_id="CVE-2015-8472" ref_url="https://access.redhat.com/security/cve/CVE-2015-8472" source="CVE"/>
<description>The libpng12 packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of
libpng did not correctly calculate the maximum palette sizes for bit depths
of less than 8. In case an application tried to use these functions in
combination with properly calculated palette sizes, this could lead to a
buffer overflow or out-of-bounds reads. An attacker could exploit this to
cause a crash or potentially execute arbitrary code by tricking an
unsuspecting user into processing a specially crafted PNG image. However,
the exact impact is dependent on the application using the library.
(CVE-2015-8126, CVE-2015-8472)
An array-indexing error was discovered in the png_convert_to_rfc1123()
function of libpng. An attacker could possibly use this flaw to cause an
out-of-bounds read by tricking an unsuspecting user into processing a
specially crafted PNG image. (CVE-2015-7981)
All libpng12 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-09"/>
<updated date="2015-12-09"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7981">CVE-2015-7981</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8126">CVE-2015-8126</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8472">CVE-2015-8472</cve>
<bugzilla href="https://bugzilla.redhat.com/1276416" id="1276416">CVE-2015-7981 libpng: Out-of-bounds read in png_convert_to_rfc1123</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281756" id="1281756">CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libpng12 is earlier than 0:1.2.50-7.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152595007"/>
<criterion comment="libpng12 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152595008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libpng12-devel is earlier than 0:1.2.50-7.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152595005"/>
<criterion comment="libpng12-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152595006"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152596" version="601">
<metadata>
<title>RHSA-2015:2596: libpng security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2596-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2596.html" source="RHSA"/>
<reference ref_id="CVE-2015-8126" ref_url="https://access.redhat.com/security/cve/CVE-2015-8126" source="CVE"/>
<reference ref_id="CVE-2015-8472" ref_url="https://access.redhat.com/security/cve/CVE-2015-8472" source="CVE"/>
<description>The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of
libpng did not correctly calculate the maximum palette sizes for bit depths
of less than 8. In case an application tried to use these functions in
combination with properly calculated palette sizes, this could lead to a
buffer overflow or out-of-bounds reads. An attacker could exploit this to
cause a crash or potentially execute arbitrary code by tricking an
unsuspecting user into processing a specially crafted PNG image. However,
the exact impact is dependent on the application using the library.
(CVE-2015-8126, CVE-2015-8472)
All libpng users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-09"/>
<updated date="2015-12-09"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8126">CVE-2015-8126</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8472">CVE-2015-8472</cve>
<bugzilla href="https://bugzilla.redhat.com/1281756" id="1281756">CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libpng is earlier than 2:1.5.13-7.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152596009"/>
<criterion comment="libpng is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152596010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libpng-devel is earlier than 2:1.5.13-7.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152596005"/>
<criterion comment="libpng-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152596006"/>
</criteria>
<criteria operator="AND">
<criterion comment="libpng-static is earlier than 2:1.5.13-7.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152596007"/>
<criterion comment="libpng-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152596008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152617" version="601">
<metadata>
<title>RHSA-2015:2617: openssl security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2015:2617-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2617.html" source="RHSA"/>
<reference ref_id="CVE-2015-3194" ref_url="https://access.redhat.com/security/cve/CVE-2015-3194" source="CVE"/>
<reference ref_id="CVE-2015-3195" ref_url="https://access.redhat.com/security/cve/CVE-2015-3195" source="CVE"/>
<reference ref_id="CVE-2015-3196" ref_url="https://access.redhat.com/security/cve/CVE-2015-3196" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
A NULL pointer derefernce flaw was found in the way OpenSSL verified
signatures using the RSA PSS algorithm. A remote attacked could possibly
use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server
using OpenSSL if it enabled client authentication. (CVE-2015-3194)
A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and
CMS data. A remote attacker could use this flaw to cause an application
that parses PKCS#7 or CMS data from untrusted sources to use an excessive
amount of memory and possibly crash. (CVE-2015-3195)
A race condition flaw, leading to a double free, was found in the way
OpenSSL handled pre-shared key (PSK) identify hints. A remote attacker
could use this flaw to crash a multi-threaded SSL/TLS client using
OpenSSL. (CVE-2015-3196)
All openssl users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-14"/>
<updated date="2015-12-14"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3194">CVE-2015-3194</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3195">CVE-2015-3195</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3196">CVE-2015-3196</cve>
<bugzilla href="https://bugzilla.redhat.com/1288320" id="1288320">CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1288322" id="1288322">CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1288326" id="1288326">CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-42.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152617005"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-42.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152617009"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-42.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152617011"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-42.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152617007"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-51.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152617017"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-51.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152617019"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-51.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152617021"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-51.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152617018"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-51.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152617020"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152619" version="601">
<metadata>
<title>RHSA-2015:2619: libreoffice security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2619-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2619.html" source="RHSA"/>
<reference ref_id="CVE-2015-4551" ref_url="https://access.redhat.com/security/cve/CVE-2015-4551" source="CVE"/>
<reference ref_id="CVE-2015-5212" ref_url="https://access.redhat.com/security/cve/CVE-2015-5212" source="CVE"/>
<reference ref_id="CVE-2015-5213" ref_url="https://access.redhat.com/security/cve/CVE-2015-5213" source="CVE"/>
<reference ref_id="CVE-2015-5214" ref_url="https://access.redhat.com/security/cve/CVE-2015-5214" source="CVE"/>
<description>LibreOffice is an open source, community-developed office productivity
suite. It includes key desktop applications, such as a word processor, a
spreadsheet, a presentation manager, a formula editor, and a drawing
program. LibreOffice replaces OpenOffice and provides a similar but
enhanced and extended office suite.
It was discovered that LibreOffice did not properly restrict automatic link
updates. By tricking a victim into opening specially crafted documents, an
attacker could possibly use this flaw to disclose contents of files
accessible by the victim. (CVE-2015-4551)
An integer underflow flaw leading to a heap-based buffer overflow when
parsing PrinterSetup data was discovered. By tricking a user into opening a
specially crafted document, an attacker could possibly exploit this flaw to
execute arbitrary code with the privileges of the user opening the file.
(CVE-2015-5212)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way LibreOffice processed certain Microsoft Word .doc files.
By tricking a user into opening a specially crafted Microsoft Word .doc
document, an attacker could possibly use this flaw to execute arbitrary
code with the privileges of the user opening the file. (CVE-2015-5213)
It was discovered that LibreOffice did not properly sanity check bookmark
indexes. By tricking a user into opening a specially crafted document, an
attacker could possibly use this flaw to execute arbitrary code with the
privileges of the user opening the file. (CVE-2015-5214)
All libreoffice users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-14"/>
<updated date="2015-12-14"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4551">CVE-2015-4551</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5212">CVE-2015-5212</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5213">CVE-2015-5213</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5214">CVE-2015-5214</cve>
<bugzilla href="https://bugzilla.redhat.com/1278812" id="1278812">CVE-2015-4551 libreoffice: Arbitrary file disclosure in Calc and Writer</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1278820" id="1278820">CVE-2015-5212 libreoffice: Integer underflow in PrinterSetup length</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1278824" id="1278824">CVE-2015-5213 libreoffice: Integer overflow in DOC files</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1278827" id="1278827">CVE-2015-5214 libreoffice: Bookmarks in DOC documents are insufficiently checked causing memory corruption</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="autocorr-af is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619217"/>
<criterion comment="autocorr-af is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377120"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-bg is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619191"/>
<criterion comment="autocorr-bg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377314"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ca is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619211"/>
<criterion comment="autocorr-ca is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377130"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-cs is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619193"/>
<criterion comment="autocorr-cs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377194"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-da is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619245"/>
<criterion comment="autocorr-da is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377134"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-de is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619215"/>
<criterion comment="autocorr-de is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377086"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-en is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619243"/>
<criterion comment="autocorr-en is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377252"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-es is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619239"/>
<criterion comment="autocorr-es is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377096"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fa is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619247"/>
<criterion comment="autocorr-fa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377156"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fi is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619201"/>
<criterion comment="autocorr-fi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377126"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619223"/>
<criterion comment="autocorr-fr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377274"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ga is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619213"/>
<criterion comment="autocorr-ga is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377122"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-hr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619221"/>
<criterion comment="autocorr-hr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377136"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-hu is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619251"/>
<criterion comment="autocorr-hu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377250"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-is is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619225"/>
<criterion comment="autocorr-is is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377072"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-it is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619187"/>
<criterion comment="autocorr-it is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377180"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ja is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619253"/>
<criterion comment="autocorr-ja is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377258"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ko is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619241"/>
<criterion comment="autocorr-ko is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377310"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-lb is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619229"/>
<criterion comment="autocorr-lb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377272"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-lt is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619227"/>
<criterion comment="autocorr-lt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377286"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-mn is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619237"/>
<criterion comment="autocorr-mn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377160"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-nl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619219"/>
<criterion comment="autocorr-nl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377240"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-pl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619197"/>
<criterion comment="autocorr-pl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377106"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-pt is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619235"/>
<criterion comment="autocorr-pt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377146"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ro is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619233"/>
<criterion comment="autocorr-ro is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377318"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ru is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619195"/>
<criterion comment="autocorr-ru is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377168"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sk is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619207"/>
<criterion comment="autocorr-sk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377226"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619231"/>
<criterion comment="autocorr-sl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377216"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619205"/>
<criterion comment="autocorr-sr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377092"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sv is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619199"/>
<criterion comment="autocorr-sv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377172"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-tr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619249"/>
<criterion comment="autocorr-tr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377192"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-vi is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619189"/>
<criterion comment="autocorr-vi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377132"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-zh is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619209"/>
<criterion comment="autocorr-zh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377238"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619043"/>
<criterion comment="libreoffice is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377062"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-base is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619055"/>
<criterion comment="libreoffice-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377152"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-bsh is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619113"/>
<criterion comment="libreoffice-bsh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377316"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-calc is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619057"/>
<criterion comment="libreoffice-calc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377298"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-core is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619035"/>
<criterion comment="libreoffice-core is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377094"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-draw is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619143"/>
<criterion comment="libreoffice-draw is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377276"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-emailmerge is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619101"/>
<criterion comment="libreoffice-emailmerge is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377196"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-filters is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619059"/>
<criterion comment="libreoffice-filters is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377266"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-gdb-debug-support is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619081"/>
<criterion comment="libreoffice-gdb-debug-support is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377088"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-glade is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619015"/>
<criterion comment="libreoffice-glade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377262"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-graphicfilter is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619119"/>
<criterion comment="libreoffice-graphicfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377078"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-headless is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619005"/>
<criterion comment="libreoffice-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377084"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-impress is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619027"/>
<criterion comment="libreoffice-impress is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377138"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-af is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619161"/>
<criterion comment="libreoffice-langpack-af is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377202"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ar is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619167"/>
<criterion comment="libreoffice-langpack-ar is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377100"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-as is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619177"/>
<criterion comment="libreoffice-langpack-as is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377268"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-bg is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619067"/>
<criterion comment="libreoffice-langpack-bg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377292"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-bn is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619107"/>
<criterion comment="libreoffice-langpack-bn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377270"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ca is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619121"/>
<criterion comment="libreoffice-langpack-ca is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377222"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-cs is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619183"/>
<criterion comment="libreoffice-langpack-cs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377224"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-cy is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619169"/>
<criterion comment="libreoffice-langpack-cy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377190"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-da is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619175"/>
<criterion comment="libreoffice-langpack-da is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377070"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-de is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619025"/>
<criterion comment="libreoffice-langpack-de is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377154"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-dz is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619105"/>
<criterion comment="libreoffice-langpack-dz is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377280"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-el is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619037"/>
<criterion comment="libreoffice-langpack-el is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377312"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-en is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619137"/>
<criterion comment="libreoffice-langpack-en is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377256"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-es is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619185"/>
<criterion comment="libreoffice-langpack-es is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377144"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-et is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619159"/>
<criterion comment="libreoffice-langpack-et is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377296"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-eu is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619047"/>
<criterion comment="libreoffice-langpack-eu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377102"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fi is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619103"/>
<criterion comment="libreoffice-langpack-fi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377220"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619073"/>
<criterion comment="libreoffice-langpack-fr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377166"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ga is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619011"/>
<criterion comment="libreoffice-langpack-ga is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377142"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-gl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619115"/>
<criterion comment="libreoffice-langpack-gl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377260"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-gu is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619083"/>
<criterion comment="libreoffice-langpack-gu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377208"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-he is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619053"/>
<criterion comment="libreoffice-langpack-he is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377116"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hi is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619123"/>
<criterion comment="libreoffice-langpack-hi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377288"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619029"/>
<criterion comment="libreoffice-langpack-hr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377198"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hu is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619065"/>
<criterion comment="libreoffice-langpack-hu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377232"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-it is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619147"/>
<criterion comment="libreoffice-langpack-it is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377228"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ja is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619127"/>
<criterion comment="libreoffice-langpack-ja is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377184"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-kn is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619077"/>
<criterion comment="libreoffice-langpack-kn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377264"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ko is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619013"/>
<criterion comment="libreoffice-langpack-ko is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377248"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-lt is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619151"/>
<criterion comment="libreoffice-langpack-lt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377064"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-mai is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619165"/>
<criterion comment="libreoffice-langpack-mai is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377128"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ml is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619045"/>
<criterion comment="libreoffice-langpack-ml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377304"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-mr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619069"/>
<criterion comment="libreoffice-langpack-mr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377182"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ms is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619051"/>
<criterion comment="libreoffice-langpack-ms is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152619052"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nb is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619021"/>
<criterion comment="libreoffice-langpack-nb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377308"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619133"/>
<criterion comment="libreoffice-langpack-nl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377210"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nn is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619163"/>
<criterion comment="libreoffice-langpack-nn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377068"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619155"/>
<criterion comment="libreoffice-langpack-nr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377074"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nso is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619095"/>
<criterion comment="libreoffice-langpack-nso is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377118"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-or is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619085"/>
<criterion comment="libreoffice-langpack-or is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377212"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pa is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619039"/>
<criterion comment="libreoffice-langpack-pa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377206"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619017"/>
<criterion comment="libreoffice-langpack-pl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377124"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pt-BR is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619117"/>
<criterion comment="libreoffice-langpack-pt-BR is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377104"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pt-PT is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619033"/>
<criterion comment="libreoffice-langpack-pt-PT is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377186"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ro is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619181"/>
<criterion comment="libreoffice-langpack-ro is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377098"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ru is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619049"/>
<criterion comment="libreoffice-langpack-ru is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377214"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sk is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619173"/>
<criterion comment="libreoffice-langpack-sk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377188"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sl is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619079"/>
<criterion comment="libreoffice-langpack-sl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377080"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619131"/>
<criterion comment="libreoffice-langpack-sr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377302"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ss is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619089"/>
<criterion comment="libreoffice-langpack-ss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377170"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-st is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619141"/>
<criterion comment="libreoffice-langpack-st is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377242"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sv is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619087"/>
<criterion comment="libreoffice-langpack-sv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377282"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ta is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619135"/>
<criterion comment="libreoffice-langpack-ta is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377112"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-te is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619091"/>
<criterion comment="libreoffice-langpack-te is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377148"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-th is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619063"/>
<criterion comment="libreoffice-langpack-th is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377158"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-tn is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619019"/>
<criterion comment="libreoffice-langpack-tn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377234"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-tr is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619075"/>
<criterion comment="libreoffice-langpack-tr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377140"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ts is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619149"/>
<criterion comment="libreoffice-langpack-ts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377110"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-uk is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619179"/>
<criterion comment="libreoffice-langpack-uk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377090"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ur is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619157"/>
<criterion comment="libreoffice-langpack-ur is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152619158"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ve is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619099"/>
<criterion comment="libreoffice-langpack-ve is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377176"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-xh is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619129"/>
<criterion comment="libreoffice-langpack-xh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377300"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zh-Hans is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619009"/>
<criterion comment="libreoffice-langpack-zh-Hans is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377174"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zh-Hant is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619041"/>
<criterion comment="libreoffice-langpack-zh-Hant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377076"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zu is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619109"/>
<criterion comment="libreoffice-langpack-zu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377294"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-librelogo is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619071"/>
<criterion comment="libreoffice-librelogo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377082"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-math is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619125"/>
<criterion comment="libreoffice-math is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377254"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-nlpsolver is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619031"/>
<criterion comment="libreoffice-nlpsolver is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377162"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-ogltrans is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619111"/>
<criterion comment="libreoffice-ogltrans is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377290"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-opensymbol-fonts is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619203"/>
<criterion comment="libreoffice-opensymbol-fonts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377066"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-pdfimport is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619007"/>
<criterion comment="libreoffice-pdfimport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377278"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-pyuno is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619061"/>
<criterion comment="libreoffice-pyuno is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377246"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-rhino is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619171"/>
<criterion comment="libreoffice-rhino is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377230"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-sdk is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619139"/>
<criterion comment="libreoffice-sdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377244"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-sdk-doc is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619097"/>
<criterion comment="libreoffice-sdk-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377114"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-ure is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619153"/>
<criterion comment="libreoffice-ure is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377164"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-wiki-publisher is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619145"/>
<criterion comment="libreoffice-wiki-publisher is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377284"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-writer is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619093"/>
<criterion comment="libreoffice-writer is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377178"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-xsltfilter is earlier than 1:4.2.8.2-11.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20152619023"/>
<criterion comment="libreoffice-xsltfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377306"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="autocorr-af is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619369"/>
<criterion comment="autocorr-af is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377120"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-bg is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619374"/>
<criterion comment="autocorr-bg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377314"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ca is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619388"/>
<criterion comment="autocorr-ca is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377130"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-cs is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619381"/>
<criterion comment="autocorr-cs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377194"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-da is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619371"/>
<criterion comment="autocorr-da is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377134"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-de is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619367"/>
<criterion comment="autocorr-de is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377086"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-en is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619373"/>
<criterion comment="autocorr-en is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377252"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-es is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619391"/>
<criterion comment="autocorr-es is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377096"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fa is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619377"/>
<criterion comment="autocorr-fa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377156"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fi is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619375"/>
<criterion comment="autocorr-fi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377126"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-fr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619387"/>
<criterion comment="autocorr-fr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377274"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ga is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619364"/>
<criterion comment="autocorr-ga is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377122"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-hr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619378"/>
<criterion comment="autocorr-hr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377136"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-hu is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619393"/>
<criterion comment="autocorr-hu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377250"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-is is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619380"/>
<criterion comment="autocorr-is is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377072"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-it is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619395"/>
<criterion comment="autocorr-it is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377180"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ja is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619366"/>
<criterion comment="autocorr-ja is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377258"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ko is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619392"/>
<criterion comment="autocorr-ko is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377310"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-lb is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619383"/>
<criterion comment="autocorr-lb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377272"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-lt is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619384"/>
<criterion comment="autocorr-lt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377286"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-mn is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619363"/>
<criterion comment="autocorr-mn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377160"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-nl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619362"/>
<criterion comment="autocorr-nl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377240"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-pl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619394"/>
<criterion comment="autocorr-pl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377106"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-pt is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619365"/>
<criterion comment="autocorr-pt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377146"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ro is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619382"/>
<criterion comment="autocorr-ro is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377318"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-ru is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619386"/>
<criterion comment="autocorr-ru is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377168"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sk is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619385"/>
<criterion comment="autocorr-sk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377226"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619389"/>
<criterion comment="autocorr-sl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377216"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619379"/>
<criterion comment="autocorr-sr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377092"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-sv is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619368"/>
<criterion comment="autocorr-sv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377172"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-tr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619376"/>
<criterion comment="autocorr-tr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377192"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-vi is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619372"/>
<criterion comment="autocorr-vi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377132"/>
</criteria>
<criteria operator="AND">
<criterion comment="autocorr-zh is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619370"/>
<criterion comment="autocorr-zh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377238"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619347"/>
<criterion comment="libreoffice is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377062"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-base is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619281"/>
<criterion comment="libreoffice-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377152"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-bsh is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619297"/>
<criterion comment="libreoffice-bsh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377316"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-calc is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619345"/>
<criterion comment="libreoffice-calc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377298"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-core is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619349"/>
<criterion comment="libreoffice-core is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377094"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-draw is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619262"/>
<criterion comment="libreoffice-draw is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377276"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-emailmerge is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619303"/>
<criterion comment="libreoffice-emailmerge is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377196"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-filters is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619304"/>
<criterion comment="libreoffice-filters is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377266"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-gdb-debug-support is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619327"/>
<criterion comment="libreoffice-gdb-debug-support is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377088"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-glade is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619293"/>
<criterion comment="libreoffice-glade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377262"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-graphicfilter is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619317"/>
<criterion comment="libreoffice-graphicfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377078"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-headless is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619341"/>
<criterion comment="libreoffice-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377084"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-impress is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619306"/>
<criterion comment="libreoffice-impress is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377138"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-af is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619323"/>
<criterion comment="libreoffice-langpack-af is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377202"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ar is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619296"/>
<criterion comment="libreoffice-langpack-ar is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377100"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-as is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619315"/>
<criterion comment="libreoffice-langpack-as is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377268"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-bg is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619299"/>
<criterion comment="libreoffice-langpack-bg is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377292"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-bn is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619300"/>
<criterion comment="libreoffice-langpack-bn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377270"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-br is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619334"/>
<criterion comment="libreoffice-langpack-br is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377236"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ca is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619355"/>
<criterion comment="libreoffice-langpack-ca is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377222"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-cs is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619328"/>
<criterion comment="libreoffice-langpack-cs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377224"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-cy is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619339"/>
<criterion comment="libreoffice-langpack-cy is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377190"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-da is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619308"/>
<criterion comment="libreoffice-langpack-da is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377070"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-de is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619259"/>
<criterion comment="libreoffice-langpack-de is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377154"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-dz is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619316"/>
<criterion comment="libreoffice-langpack-dz is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377280"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-el is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619330"/>
<criterion comment="libreoffice-langpack-el is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377312"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-en is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619320"/>
<criterion comment="libreoffice-langpack-en is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377256"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-es is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619269"/>
<criterion comment="libreoffice-langpack-es is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377144"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-et is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619261"/>
<criterion comment="libreoffice-langpack-et is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377296"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-eu is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619278"/>
<criterion comment="libreoffice-langpack-eu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377102"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fa is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619309"/>
<criterion comment="libreoffice-langpack-fa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377204"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fi is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619288"/>
<criterion comment="libreoffice-langpack-fi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377220"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-fr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619265"/>
<criterion comment="libreoffice-langpack-fr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377166"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ga is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619268"/>
<criterion comment="libreoffice-langpack-ga is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377142"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-gl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619356"/>
<criterion comment="libreoffice-langpack-gl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377260"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-gu is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619289"/>
<criterion comment="libreoffice-langpack-gu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377208"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-he is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619286"/>
<criterion comment="libreoffice-langpack-he is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377116"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hi is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619357"/>
<criterion comment="libreoffice-langpack-hi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377288"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619280"/>
<criterion comment="libreoffice-langpack-hr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377198"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-hu is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619352"/>
<criterion comment="libreoffice-langpack-hu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377232"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-it is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619311"/>
<criterion comment="libreoffice-langpack-it is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377228"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ja is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619346"/>
<criterion comment="libreoffice-langpack-ja is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377184"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-kk is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619360"/>
<criterion comment="libreoffice-langpack-kk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377200"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-kn is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619277"/>
<criterion comment="libreoffice-langpack-kn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377264"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ko is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619294"/>
<criterion comment="libreoffice-langpack-ko is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377248"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-lt is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619348"/>
<criterion comment="libreoffice-langpack-lt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377064"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-lv is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619321"/>
<criterion comment="libreoffice-langpack-lv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377150"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-mai is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619340"/>
<criterion comment="libreoffice-langpack-mai is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377128"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ml is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619353"/>
<criterion comment="libreoffice-langpack-ml is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377304"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-mr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619350"/>
<criterion comment="libreoffice-langpack-mr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377182"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nb is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619267"/>
<criterion comment="libreoffice-langpack-nb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377308"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619264"/>
<criterion comment="libreoffice-langpack-nl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377210"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nn is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619324"/>
<criterion comment="libreoffice-langpack-nn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377068"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619272"/>
<criterion comment="libreoffice-langpack-nr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377074"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-nso is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619275"/>
<criterion comment="libreoffice-langpack-nso is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377118"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-or is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619263"/>
<criterion comment="libreoffice-langpack-or is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377212"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pa is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619358"/>
<criterion comment="libreoffice-langpack-pa is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377206"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619279"/>
<criterion comment="libreoffice-langpack-pl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377124"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pt-BR is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619292"/>
<criterion comment="libreoffice-langpack-pt-BR is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377104"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-pt-PT is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619298"/>
<criterion comment="libreoffice-langpack-pt-PT is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377186"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ro is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619359"/>
<criterion comment="libreoffice-langpack-ro is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377098"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ru is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619314"/>
<criterion comment="libreoffice-langpack-ru is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377214"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-si is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619318"/>
<criterion comment="libreoffice-langpack-si is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377218"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sk is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619276"/>
<criterion comment="libreoffice-langpack-sk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377188"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sl is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619336"/>
<criterion comment="libreoffice-langpack-sl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377080"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619344"/>
<criterion comment="libreoffice-langpack-sr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377302"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ss is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619332"/>
<criterion comment="libreoffice-langpack-ss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377170"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-st is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619326"/>
<criterion comment="libreoffice-langpack-st is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377242"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-sv is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619285"/>
<criterion comment="libreoffice-langpack-sv is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377282"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ta is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619337"/>
<criterion comment="libreoffice-langpack-ta is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377112"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-te is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619338"/>
<criterion comment="libreoffice-langpack-te is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377148"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-th is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619295"/>
<criterion comment="libreoffice-langpack-th is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377158"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-tn is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619291"/>
<criterion comment="libreoffice-langpack-tn is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377234"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-tr is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619283"/>
<criterion comment="libreoffice-langpack-tr is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377140"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ts is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619282"/>
<criterion comment="libreoffice-langpack-ts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377110"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-uk is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619325"/>
<criterion comment="libreoffice-langpack-uk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377090"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-ve is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619273"/>
<criterion comment="libreoffice-langpack-ve is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377176"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-xh is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619329"/>
<criterion comment="libreoffice-langpack-xh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377300"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zh-Hans is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619290"/>
<criterion comment="libreoffice-langpack-zh-Hans is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377174"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zh-Hant is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619266"/>
<criterion comment="libreoffice-langpack-zh-Hant is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377076"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-langpack-zu is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619274"/>
<criterion comment="libreoffice-langpack-zu is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377294"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-librelogo is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619284"/>
<criterion comment="libreoffice-librelogo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377082"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-math is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619333"/>
<criterion comment="libreoffice-math is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377254"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-nlpsolver is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619301"/>
<criterion comment="libreoffice-nlpsolver is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377162"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-officebean is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619312"/>
<criterion comment="libreoffice-officebean is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152619313"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-ogltrans is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619260"/>
<criterion comment="libreoffice-ogltrans is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377290"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-opensymbol-fonts is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619390"/>
<criterion comment="libreoffice-opensymbol-fonts is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377066"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-pdfimport is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619302"/>
<criterion comment="libreoffice-pdfimport is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377278"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-postgresql is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619270"/>
<criterion comment="libreoffice-postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377108"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-pyuno is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619305"/>
<criterion comment="libreoffice-pyuno is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377246"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-rhino is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619307"/>
<criterion comment="libreoffice-rhino is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377230"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-sdk is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619343"/>
<criterion comment="libreoffice-sdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377244"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-sdk-doc is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619342"/>
<criterion comment="libreoffice-sdk-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377114"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-ure is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619287"/>
<criterion comment="libreoffice-ure is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377164"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-wiki-publisher is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619331"/>
<criterion comment="libreoffice-wiki-publisher is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377284"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-writer is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619351"/>
<criterion comment="libreoffice-writer is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377178"/>
</criteria>
<criteria operator="AND">
<criterion comment="libreoffice-xsltfilter is earlier than 1:4.3.7.2-5.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152619354"/>
<criterion comment="libreoffice-xsltfilter is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150377306"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152623" version="603">
<metadata>
<title>RHSA-2015:2623: grub2 security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2623-02" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2623.html" source="RHSA"/>
<reference ref_id="CVE-2015-8370" ref_url="https://access.redhat.com/security/cve/CVE-2015-8370" source="CVE"/>
<description>The grub2 packages provide version 2 of the Grand Unified Bootloader
(GRUB), a highly configurable and customizable bootloader with modular
architecture. The packages support a variety of kernel formats, file
systems, computer architectures, and hardware devices.
A flaw was found in the way the grub2 handled backspace characters entered
in username and password prompts. An attacker with access to the system
console could use this flaw to bypass grub2 password protection and gain
administrative access to the system. (CVE-2015-8370)
This update also fixes the following bug:
* When upgrading from Red Hat Enterprise Linux 7.1 and earlier, a
configured boot password was not correctly migrated to the newly introduced
user.cfg configuration files. This could possibly prevent system
administrators from changing grub2 configuration during system boot even if
they provided the correct password. This update corrects the password
migration script and the incorrectly generated user.cfg file. (BZ#1290089)
All grub2 users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. For this update to take
effect on BIOS-based machines, grub2 needs to be reinstalled as documented
in the "Reinstalling GRUB 2 on BIOS-Based Machines" section of the Red Hat
Enterprise Linux 7 System Administrator's Guide linked to in the References
section. No manual action is needed on UEFI-based machines.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2015-12-15"/>
<updated date="2016-01-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8370">CVE-2015-8370</cve>
<bugzilla href="https://bugzilla.redhat.com/1286966" id="1286966">CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1290089" id="1290089">Grub password broken by update from RHEL7.1 to RHEL7.2</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="grub2 is earlier than 1:2.02-0.33.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152623005"/>
<criterion comment="grub2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401006"/>
</criteria>
<criteria operator="AND">
<criterion comment="grub2-efi is earlier than 1:2.02-0.33.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152623009"/>
<criterion comment="grub2-efi is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401012"/>
</criteria>
<criteria operator="AND">
<criterion comment="grub2-efi-modules is earlier than 1:2.02-0.33.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152623011"/>
<criterion comment="grub2-efi-modules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401010"/>
</criteria>
<criteria operator="AND">
<criterion comment="grub2-tools is earlier than 1:2.02-0.33.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152623007"/>
<criterion comment="grub2-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152401008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152655" version="601">
<metadata>
<title>RHSA-2015:2655: bind security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2015:2655-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2655.html" source="RHSA"/>
<reference ref_id="CVE-2015-8000" ref_url="https://access.redhat.com/security/cve/CVE-2015-8000" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A denial of service flaw was found in the way BIND processed certain
records with malformed class attributes. A remote attacker could use this
flaw to send a query to request a cached record with a malformed class
attribute that would cause named functioning as an authoritative or
recursive server to crash. (CVE-2015-8000)
Note: This issue affects authoritative servers as well as recursive
servers, however authoritative servers are at limited risk if they perform
authentication when making recursive queries to resolve addresses for
servers listed in NS RRSETs.
Red Hat would like to thank ISC for reporting this issue.
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-16"/>
<updated date="2015-12-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8000">CVE-2015-8000</cve>
<bugzilla href="https://bugzilla.redhat.com/1291176" id="1291176">CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.5" test_ref="oval:com.redhat.rhsa:tst:20152655009"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.5" test_ref="oval:com.redhat.rhsa:tst:20152655015"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.5" test_ref="oval:com.redhat.rhsa:tst:20152655011"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.5" test_ref="oval:com.redhat.rhsa:tst:20152655007"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.5" test_ref="oval:com.redhat.rhsa:tst:20152655013"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.5" test_ref="oval:com.redhat.rhsa:tst:20152655005"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655040"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655034"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655033"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655039"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655024"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655041"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655035"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11 is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655031"/>
<criterion comment="bind-pkcs11 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655032"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11-devel is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655027"/>
<criterion comment="bind-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655028"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11-libs is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655029"/>
<criterion comment="bind-pkcs11-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655030"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11-utils is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655022"/>
<criterion comment="bind-pkcs11-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655026"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655037"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-29.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20152655021"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20152657" version="601">
<metadata>
<title>RHSA-2015:2657: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2015:2657-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-2657.html" source="RHSA"/>
<reference ref_id="CVE-2015-7201" ref_url="https://access.redhat.com/security/cve/CVE-2015-7201" source="CVE"/>
<reference ref_id="CVE-2015-7205" ref_url="https://access.redhat.com/security/cve/CVE-2015-7205" source="CVE"/>
<reference ref_id="CVE-2015-7210" ref_url="https://access.redhat.com/security/cve/CVE-2015-7210" source="CVE"/>
<reference ref_id="CVE-2015-7212" ref_url="https://access.redhat.com/security/cve/CVE-2015-7212" source="CVE"/>
<reference ref_id="CVE-2015-7213" ref_url="https://access.redhat.com/security/cve/CVE-2015-7213" source="CVE"/>
<reference ref_id="CVE-2015-7214" ref_url="https://access.redhat.com/security/cve/CVE-2015-7214" source="CVE"/>
<reference ref_id="CVE-2015-7222" ref_url="https://access.redhat.com/security/cve/CVE-2015-7222" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2015-7201, CVE-2015-7205, CVE-2015-7210, CVE-2015-7212,
CVE-2015-7213, CVE-2015-7222)
A flaw was found in the way Firefox handled content using the 'data:' and
'view-source:' URIs. An attacker could use this flaw to bypass the
same-origin policy and read data from cross-site URLs and local files.
(CVE-2015-7214)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Andrei Vaida, Jesse Ruderman, Bob Clary, Looben Yang,
Abhishek Arya, Ronald Crane, Gerald Squelart, and Tsubasa Iinuma as the
original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.5.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2015 Red Hat, Inc.</rights>
<issued date="2015-12-16"/>
<updated date="2015-12-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7201">CVE-2015-7201</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7205">CVE-2015-7205</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7210">CVE-2015-7210</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7212">CVE-2015-7212</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7213">CVE-2015-7213</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7214">CVE-2015-7214</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7222">CVE-2015-7222</cve>
<bugzilla href="https://bugzilla.redhat.com/1291571" id="1291571">CVE-2015-7201 Mozilla: Miscellaneous memory safety hazards (rv:38.5) (MFSA 2015-134)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291585" id="1291585">CVE-2015-7210 Mozilla: Use-after-free in WebRTC when datachannel is used after being destroyed (MFSA 2015-138)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291587" id="1291587">CVE-2015-7212 Mozilla: Integer overflow allocating extremely large textures (MFSA 2015-139)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291595" id="1291595">CVE-2015-7205 Mozilla: Underflow through code inspection (MFSA 2015-145)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291596" id="1291596">CVE-2015-7213 Mozilla: Integer overflow in MP4 playback in 64-bit versions (MFSA 2015-146)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291597" id="1291597">CVE-2015-7222 Mozilla: Integer underflow and buffer overflow processing MP4 metadata in libstagefright (MFSA 2015-147)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291600" id="1291600">CVE-2015-7214 Mozilla: Cross-site reading attack through data: and view-source: URIs (MFSA 2015-149)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.5.0-2.el5_11" test_ref="oval:com.redhat.rhsa:tst:20152657002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.5.0-2.el6_7" test_ref="oval:com.redhat.rhsa:tst:20152657008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.5.0-3.el7_2" test_ref="oval:com.redhat.rhsa:tst:20152657014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160001" version="601">
<metadata>
<title>RHSA-2016:0001: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0001-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0001.html" source="RHSA"/>
<reference ref_id="CVE-2015-7201" ref_url="https://access.redhat.com/security/cve/CVE-2015-7201" source="CVE"/>
<reference ref_id="CVE-2015-7205" ref_url="https://access.redhat.com/security/cve/CVE-2015-7205" source="CVE"/>
<reference ref_id="CVE-2015-7212" ref_url="https://access.redhat.com/security/cve/CVE-2015-7212" source="CVE"/>
<reference ref_id="CVE-2015-7213" ref_url="https://access.redhat.com/security/cve/CVE-2015-7213" source="CVE"/>
<reference ref_id="CVE-2015-7214" ref_url="https://access.redhat.com/security/cve/CVE-2015-7214" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2015-7201, CVE-2015-7205, CVE-2015-7212, CVE-2015-7213)
A flaw was found in the way Thunderbird handled content using the 'data:'
and 'view-source:' URIs. An attacker could use this flaw to bypass the
same-origin policy and read data from cross-site URLs and local files.
(CVE-2015-7214)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Andrei Vaida, Jesse Ruderman, Bob Clary, Abhishek
Arya, Ronald Crane, and Tsubasa Iinuma as the original reporters of these
issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.5.0. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.5.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-05"/>
<updated date="2016-01-05"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7201">CVE-2015-7201</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7205">CVE-2015-7205</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7212">CVE-2015-7212</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7213">CVE-2015-7213</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7214">CVE-2015-7214</cve>
<bugzilla href="https://bugzilla.redhat.com/1291571" id="1291571">CVE-2015-7201 Mozilla: Miscellaneous memory safety hazards (rv:38.5) (MFSA 2015-134)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291587" id="1291587">CVE-2015-7212 Mozilla: Integer overflow allocating extremely large textures (MFSA 2015-139)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291595" id="1291595">CVE-2015-7205 Mozilla: Underflow through code inspection (MFSA 2015-145)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291596" id="1291596">CVE-2015-7213 Mozilla: Integer overflow in MP4 playback in 64-bit versions (MFSA 2015-146)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1291600" id="1291600">CVE-2015-7214 Mozilla: Cross-site reading attack through data: and view-source: URIs (MFSA 2015-149)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:38.5.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160001002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.5.0-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160001008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.5.0-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160001014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160005" version="601">
<metadata>
<title>RHSA-2016:0005: rpcbind security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2016:0005-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0005.html" source="RHSA"/>
<reference ref_id="CVE-2015-7236" ref_url="https://access.redhat.com/security/cve/CVE-2015-7236" source="CVE"/>
<description>The rpcbind utility is a server that converts RPC program numbers into
universal addresses. It must be running on the host to be able to make RPC
calls on a server on that machine.
A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP
connections was discovered in rpcbind. A remote attacker could possibly
exploit this flaw to crash the rpcbind service by performing a series of
UDP and TCP calls. (CVE-2015-7236)
All rpcbind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. If the rpcbind service
is running, it will be automatically restarted after installing this
update.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-07"/>
<updated date="2016-01-07"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7236">CVE-2015-7236</cve>
<bugzilla href="https://bugzilla.redhat.com/1264345" id="1264345">CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="rpcbind is earlier than 0:0.2.0-11.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160005005"/>
<criterion comment="rpcbind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160005006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="rpcbind is earlier than 0:0.2.0-33.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160005011"/>
<criterion comment="rpcbind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160005006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160006" version="602">
<metadata>
<title>RHSA-2016:0006: samba security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0006-01" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0006.html" source="RHSA"/>
<reference ref_id="CVE-2015-5252" ref_url="https://access.redhat.com/security/cve/CVE-2015-5252" source="CVE"/>
<reference ref_id="CVE-2015-5296" ref_url="https://access.redhat.com/security/cve/CVE-2015-5296" source="CVE"/>
<reference ref_id="CVE-2015-5299" ref_url="https://access.redhat.com/security/cve/CVE-2015-5299" source="CVE"/>
<reference ref_id="CVE-2015-5330" ref_url="https://access.redhat.com/security/cve/CVE-2015-5330" source="CVE"/>
<description>Samba is an open-source implementation of the Server Message Block (SMB) or
Common Internet File System (CIFS) protocol, which allows PC-compatible
machines to share files, printers, and other information.
A denial of service flaw was found in the LDAP server provided by the AD DC
in the Samba process daemon. A remote attacker could exploit this flaw by
sending a specially crafted packet, which could cause the server to consume
an excessive amount of memory and crash. (CVE-2015-7540)
Multiple buffer over-read flaws were found in the way Samba handled
malformed inputs in certain encodings. An authenticated, remote attacker
could possibly use these flaws to disclose portions of the server memory.
(CVE-2015-5330)
A man-in-the-middle vulnerability was found in the way "connection signing"
was implemented by Samba. A remote attacker could use this flaw to
downgrade an existing Samba client connection and force the use of plain
text. (CVE-2015-5296)
A missing access control flaw was found in Samba. A remote, authenticated
attacker could use this flaw to view the current snapshot on a Samba share,
despite not having DIRECTORY_LIST access rights. (CVE-2015-5299)
An access flaw was found in the way Samba verified symbolic links when
creating new files on a Samba share. A remote attacker could exploit this
flaw to gain access to files outside of Samba's share path. (CVE-2015-5252)
Red Hat would like to thank the Samba project for reporting these issues.
Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as
the original reporters of CVE-2015-5296, partha@exablox.com as the original
reporter of CVE-2015-5299, Jan "Yenya" Kasprzak and the Computer Systems
Unit team at Faculty of Informatics, Masaryk University as the original
reporters of CVE-2015-5252 flaws, and Douglas Bagnall as the original
reporter of CVE-2015-5330.
All samba users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the smb service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-07"/>
<updated date="2016-01-08"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5252">CVE-2015-5252</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5296">CVE-2015-5296</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5299">CVE-2015-5299</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5330">CVE-2015-5330</cve>
<bugzilla href="https://bugzilla.redhat.com/1276126" id="1276126">CVE-2015-5299 Samba: Missing access control check in shadow copy code</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1281326" id="1281326">CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1288451" id="1288451">CVE-2015-7540 samba: DoS to AD-DC due to insufficient checking of asn1 memory allocation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1290288" id="1290288">CVE-2015-5252 samba: Insufficient symlink verification in smbd</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1290292" id="1290292">CVE-2015-5296 samba: client requesting encryption vulnerable to downgrade attack</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ctdb is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006013"/>
<criterion comment="ctdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ctdb-devel is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006045"/>
<criterion comment="ctdb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006046"/>
</criteria>
<criteria operator="AND">
<criterion comment="ctdb-tests is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006035"/>
<criterion comment="ctdb-tests is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006036"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsmbclient is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006005"/>
<criterion comment="libsmbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867038"/>
</criteria>
<criteria operator="AND">
<criterion comment="libsmbclient-devel is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006049"/>
<criterion comment="libsmbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867032"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006047"/>
<criterion comment="libwbclient is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867026"/>
</criteria>
<criteria operator="AND">
<criterion comment="libwbclient-devel is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006041"/>
<criterion comment="libwbclient-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867008"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006031"/>
<criterion comment="samba is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867006"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-client is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006039"/>
<criterion comment="samba-client is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867042"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-client-libs is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006043"/>
<criterion comment="samba-client-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006044"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-common is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006055"/>
<criterion comment="samba-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867034"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-common-libs is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006011"/>
<criterion comment="samba-common-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006012"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-common-tools is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006015"/>
<criterion comment="samba-common-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006016"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006033"/>
<criterion comment="samba-dc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867028"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-dc-libs is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006019"/>
<criterion comment="samba-dc-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867014"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-devel is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006053"/>
<criterion comment="samba-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867020"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-libs is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006025"/>
<criterion comment="samba-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867024"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-pidl is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006057"/>
<criterion comment="samba-pidl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867022"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-python is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006051"/>
<criterion comment="samba-python is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867010"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006017"/>
<criterion comment="samba-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867040"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test-devel is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006023"/>
<criterion comment="samba-test-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867030"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-test-libs is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006027"/>
<criterion comment="samba-test-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160006028"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-vfs-glusterfs is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006021"/>
<criterion comment="samba-vfs-glusterfs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867044"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006007"/>
<criterion comment="samba-winbind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867036"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-clients is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006037"/>
<criterion comment="samba-winbind-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867018"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-krb5-locator is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006029"/>
<criterion comment="samba-winbind-krb5-locator is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867012"/>
</criteria>
<criteria operator="AND">
<criterion comment="samba-winbind-modules is earlier than 0:4.2.3-11.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160006009"/>
<criterion comment="samba-winbind-modules is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140867016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160007" version="601">
<metadata>
<title>RHSA-2016:0007: nss security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2016:0007-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0007.html" source="RHSA"/>
<reference ref_id="CVE-2015-7575" ref_url="https://access.redhat.com/security/cve/CVE-2015-7575" source="CVE"/>
<description>Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications.
A flaw was found in the way TLS 1.2 could use the MD5 hash function for
signing ServerKeyExchange and Client Authentication packets during a TLS
handshake. A man-in-the-middle attacker able to force a TLS connection to
use the MD5 hash function could use this flaw to conduct collision attacks
to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)
All nss users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all services linked to the NSS library must be restarted, or the
system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-07"/>
<updated date="2016-01-07"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7575">CVE-2015-7575</cve>
<bugzilla href="https://bugzilla.redhat.com/1289841" id="1289841">CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.19.1-8.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160007011"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.19.1-8.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160007013"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.19.1-8.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160007009"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.19.1-8.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160007007"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.19.1-8.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160007005"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="nss is earlier than 0:3.19.1-19.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160007023"/>
<criterion comment="nss is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916019"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-devel is earlier than 0:3.19.1-19.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160007019"/>
<criterion comment="nss-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916023"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-pkcs11-devel is earlier than 0:3.19.1-19.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160007020"/>
<criterion comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916021"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-sysinit is earlier than 0:3.19.1-19.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160007022"/>
<criterion comment="nss-sysinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916025"/>
</criteria>
<criteria operator="AND">
<criterion comment="nss-tools is earlier than 0:3.19.1-19.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160007021"/>
<criterion comment="nss-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140916027"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160008" version="601">
<metadata>
<title>RHSA-2016:0008: openssl security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0008-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0008.html" source="RHSA"/>
<reference ref_id="CVE-2015-7575" ref_url="https://access.redhat.com/security/cve/CVE-2015-7575" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
A flaw was found in the way TLS 1.2 could use the MD5 hash function for
signing ServerKeyExchange and Client Authentication packets during a TLS
handshake. A man-in-the-middle attacker able to force a TLS connection to
use the MD5 hash function could use this flaw to conduct collision attacks
to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)
All openssl users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all services linked to the OpenSSL library must be restarted, or
the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-07"/>
<updated date="2016-01-08"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7575">CVE-2015-7575</cve>
<bugzilla href="https://bugzilla.redhat.com/1289841" id="1289841">CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-42.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20160008009"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-42.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20160008005"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-42.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20160008007"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-42.el6_7.2" test_ref="oval:com.redhat.rhsa:tst:20160008011"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-51.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160008019"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-51.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160008017"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-51.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160008020"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-51.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160008022"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-51.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160008018"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160009" version="601">
<metadata>
<title>RHSA-2016:0009: libldb security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2016:0009-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0009.html" source="RHSA"/>
<reference ref_id="CVE-2015-3223" ref_url="https://access.redhat.com/security/cve/CVE-2015-3223" source="CVE"/>
<reference ref_id="CVE-2015-5330" ref_url="https://access.redhat.com/security/cve/CVE-2015-5330" source="CVE"/>
<description>The libldb packages provide an extensible library that implements an
LDAP-like API to access remote LDAP servers, or use local TDB databases.
A denial of service flaw was found in the ldb_wildcard_compare() function
of libldb. A remote attacker could send a specially crafted packet that,
when processed by an application using libldb (for example the AD LDAP
server in Samba), would cause that application to consume an excessive
amount of memory and crash. (CVE-2015-3223)
A memory-read flaw was found in the way the libldb library processed LDB DN
records with a null byte. An authenticated, remote attacker could use this
flaw to read heap-memory pages from the server. (CVE-2015-5330)
Red Hat would like to thank the Samba project for reporting these issues.
Upstream acknowledges Thilo Uttendorfer as the original reporter of
CVE-2015-3223, and Douglas Bagnall as the original reporter of
CVE-2015-5330.
All libldb users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-07"/>
<updated date="2016-01-07"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3223">CVE-2015-3223</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5330">CVE-2015-5330</cve>
<bugzilla href="https://bugzilla.redhat.com/1281326" id="1281326">CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1290287" id="1290287">CVE-2015-3223 libldb: Remote DoS in Samba (AD) LDAP server</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ldb-tools is earlier than 0:1.1.13-3.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20160009007"/>
<criterion comment="ldb-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libldb is earlier than 0:1.1.13-3.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20160009009"/>
<criterion comment="libldb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libldb-devel is earlier than 0:1.1.13-3.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20160009013"/>
<criterion comment="libldb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009014"/>
</criteria>
<criteria operator="AND">
<criterion comment="pyldb is earlier than 0:1.1.13-3.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20160009005"/>
<criterion comment="pyldb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009006"/>
</criteria>
<criteria operator="AND">
<criterion comment="pyldb-devel is earlier than 0:1.1.13-3.el6_7.1" test_ref="oval:com.redhat.rhsa:tst:20160009011"/>
<criterion comment="pyldb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ldb-tools is earlier than 0:1.1.20-1.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160009020"/>
<criterion comment="ldb-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libldb is earlier than 0:1.1.20-1.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160009019"/>
<criterion comment="libldb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libldb-devel is earlier than 0:1.1.20-1.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160009021"/>
<criterion comment="libldb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009014"/>
</criteria>
<criteria operator="AND">
<criterion comment="pyldb is earlier than 0:1.1.20-1.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160009022"/>
<criterion comment="pyldb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009006"/>
</criteria>
<criteria operator="AND">
<criterion comment="pyldb-devel is earlier than 0:1.1.20-1.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160009023"/>
<criterion comment="pyldb-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160009012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160012" version="601">
<metadata>
<title>RHSA-2016:0012: gnutls security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0012-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0012.html" source="RHSA"/>
<reference ref_id="CVE-2015-7575" ref_url="https://access.redhat.com/security/cve/CVE-2015-7575" source="CVE"/>
<description>The GnuTLS library provides support for cryptographic algorithms and for
protocols such as Transport Layer Security (TLS).
A flaw was found in the way TLS 1.2 could use the MD5 hash function for
signing ServerKeyExchange and Client Authentication packets during a TLS
handshake. A man-in-the-middle attacker able to force a TLS connection to
use the MD5 hash function could use this flaw to conduct collision attacks
to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)
All gnutls users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all applications linked to the GnuTLS library must be restarted.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-07"/>
<updated date="2016-01-07"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7575">CVE-2015-7575</cve>
<bugzilla href="https://bugzilla.redhat.com/1289841" id="1289841">CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="gnutls is earlier than 0:2.8.5-19.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160012005"/>
<criterion comment="gnutls is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684006"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-devel is earlier than 0:2.8.5-19.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160012007"/>
<criterion comment="gnutls-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684014"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-guile is earlier than 0:2.8.5-19.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160012011"/>
<criterion comment="gnutls-guile is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160012012"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-utils is earlier than 0:2.8.5-19.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160012009"/>
<criterion comment="gnutls-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="gnutls is earlier than 0:3.3.8-14.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160012019"/>
<criterion comment="gnutls is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684006"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-c++ is earlier than 0:3.3.8-14.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160012020"/>
<criterion comment="gnutls-c++ is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684010"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-dane is earlier than 0:3.3.8-14.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160012017"/>
<criterion comment="gnutls-dane is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684008"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-devel is earlier than 0:3.3.8-14.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160012023"/>
<criterion comment="gnutls-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684014"/>
</criteria>
<criteria operator="AND">
<criterion comment="gnutls-utils is earlier than 0:3.3.8-14.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160012022"/>
<criterion comment="gnutls-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140684012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160043" version="601">
<metadata>
<title>RHSA-2016:0043: openssh security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0043-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0043.html" source="RHSA"/>
<reference ref_id="CVE-2016-0777" ref_url="https://access.redhat.com/security/cve/CVE-2016-0777" source="CVE"/>
<reference ref_id="CVE-2016-0778" ref_url="https://access.redhat.com/security/cve/CVE-2016-0778" source="CVE"/>
<description>OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation.
These packages include the core files necessary for both the OpenSSH client
and server.
An information leak flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this flaw
to leak portions of memory (possibly including private SSH keys) of a
successfully authenticated OpenSSH client. (CVE-2016-0777)
A buffer overflow flaw was found in the way the OpenSSH client roaming
feature was implemented. A malicious server could potentially use this flaw
to execute arbitrary code on a successfully authenticated OpenSSH client if
that client used certain non-default configuration options. (CVE-2016-0778)
Red Hat would like to thank Qualys for reporting these issues.
All openssh users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the OpenSSH server daemon (sshd) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-14"/>
<updated date="2016-01-14"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0777">CVE-2016-0777</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0778">CVE-2016-0778</cve>
<bugzilla href="https://bugzilla.redhat.com/1298032" id="1298032">CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298033" id="1298033">CVE-2016-0778 OpenSSH: Client buffer-overflow when using roaming connections</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssh is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043019"/>
<criterion comment="openssh is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-askpass is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043011"/>
<criterion comment="openssh-askpass is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-clients is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043017"/>
<criterion comment="openssh-clients is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425018"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-keycat is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043007"/>
<criterion comment="openssh-keycat is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425012"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-ldap is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043005"/>
<criterion comment="openssh-ldap is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-server is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043009"/>
<criterion comment="openssh-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssh-server-sysvinit is earlier than 0:6.6.1p1-23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043013"/>
<criterion comment="openssh-server-sysvinit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425016"/>
</criteria>
<criteria operator="AND">
<criterion comment="pam_ssh_agent_auth is earlier than 0:0.9.3-9.23.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160043015"/>
<criterion comment="pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150425020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160049" version="601">
<metadata>
<title>RHSA-2016:0049: java-1.8.0-openjdk security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0049-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0049.html" source="RHSA"/>
<reference ref_id="CVE-2015-7575" ref_url="https://access.redhat.com/security/cve/CVE-2015-7575" source="CVE"/>
<reference ref_id="CVE-2016-0402" ref_url="https://access.redhat.com/security/cve/CVE-2016-0402" source="CVE"/>
<reference ref_id="CVE-2016-0448" ref_url="https://access.redhat.com/security/cve/CVE-2016-0448" source="CVE"/>
<reference ref_id="CVE-2016-0466" ref_url="https://access.redhat.com/security/cve/CVE-2016-0466" source="CVE"/>
<reference ref_id="CVE-2016-0475" ref_url="https://access.redhat.com/security/cve/CVE-2016-0475" source="CVE"/>
<reference ref_id="CVE-2016-0483" ref_url="https://access.redhat.com/security/cve/CVE-2016-0483" source="CVE"/>
<reference ref_id="CVE-2016-0494" ref_url="https://access.redhat.com/security/cve/CVE-2016-0494" source="CVE"/>
<description>The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
An out-of-bounds write flaw was found in the JPEG image format decoder in
the AWT component in OpenJDK. A specially crafted JPEG image could cause
a Java application to crash or, possibly execute arbitrary code. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2016-0483)
An integer signedness issue was found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could possibly cause
the Java Virtual Machine to execute arbitrary code, allowing an untrusted
Java application or applet to bypass Java sandbox restrictions.
(CVE-2016-0494)
It was discovered that the password-based encryption (PBE) implementation
in the Libraries component in OpenJDK used an incorrect key length. This
could, in certain cases, lead to generation of keys that were weaker than
expected. (CVE-2016-0475)
It was discovered that the JAXP component in OpenJDK did not properly
enforce the totalEntitySizeLimit limit. An attacker able to make a Java
application process a specially crafted XML file could use this flaw to
make the application consume an excessive amount of memory. (CVE-2016-0466)
A flaw was found in the way TLS 1.2 could use the MD5 hash function for
signing ServerKeyExchange and Client Authentication packets during a TLS
handshake. A man-in-the-middle attacker able to force a TLS connection to
use the MD5 hash function could use this flaw to conduct collision attacks
to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)
Multiple flaws were discovered in the Networking and JMX components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448)
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
Note: This update also disallows the use of the MD5 hash algorithm in the
certification path processing. The use of MD5 can be re-enabled by removing
MD5 from the jdk.certpath.disabledAlgorithms security property defined in
the java.security file.
All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-20"/>
<updated date="2016-01-20"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7575">CVE-2015-7575</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0402">CVE-2016-0402</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0448">CVE-2016-0448</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0466">CVE-2016-0466</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0475">CVE-2016-0475</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0483">CVE-2016-0483</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0494">CVE-2016-0494</cve>
<bugzilla href="https://bugzilla.redhat.com/1289841" id="1289841">CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298906" id="1298906">CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298949" id="1298949">CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298957" id="1298957">CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299073" id="1299073">CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299385" id="1299385">CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299441" id="1299441">CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049005"/>
<criterion comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049025"/>
<criterion comment="java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809023"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-accessibility-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049015"/>
<criterion comment="java-1.8.0-openjdk-accessibility-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160049016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049017"/>
<criterion comment="java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049023"/>
<criterion comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049019"/>
<criterion comment="java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049027"/>
<criterion comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049013"/>
<criterion comment="java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049007"/>
<criterion comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049009"/>
<criterion comment="java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049031"/>
<criterion comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049029"/>
<criterion comment="java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919028"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049021"/>
<criterion comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150809016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.71-2.b15.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160049011"/>
<criterion comment="java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20151919022"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160054" version="601">
<metadata>
<title>RHSA-2016:0054: java-1.7.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2016:0054-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0054.html" source="RHSA"/>
<reference ref_id="CVE-2015-4871" ref_url="https://access.redhat.com/security/cve/CVE-2015-4871" source="CVE"/>
<reference ref_id="CVE-2015-7575" ref_url="https://access.redhat.com/security/cve/CVE-2015-7575" source="CVE"/>
<reference ref_id="CVE-2016-0402" ref_url="https://access.redhat.com/security/cve/CVE-2016-0402" source="CVE"/>
<reference ref_id="CVE-2016-0448" ref_url="https://access.redhat.com/security/cve/CVE-2016-0448" source="CVE"/>
<reference ref_id="CVE-2016-0466" ref_url="https://access.redhat.com/security/cve/CVE-2016-0466" source="CVE"/>
<reference ref_id="CVE-2016-0483" ref_url="https://access.redhat.com/security/cve/CVE-2016-0483" source="CVE"/>
<reference ref_id="CVE-2016-0494" ref_url="https://access.redhat.com/security/cve/CVE-2016-0494" source="CVE"/>
<description>The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
An out-of-bounds write flaw was found in the JPEG image format decoder in
the AWT component in OpenJDK. A specially crafted JPEG image could cause
a Java application to crash or, possibly execute arbitrary code. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2016-0483)
An integer signedness issue was found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could possibly cause
the Java Virtual Machine to execute arbitrary code, allowing an untrusted
Java application or applet to bypass Java sandbox restrictions.
(CVE-2016-0494)
It was discovered that the JAXP component in OpenJDK did not properly
enforce the totalEntitySizeLimit limit. An attacker able to make a Java
application process a specially crafted XML file could use this flaw to
make the application consume an excessive amount of memory. (CVE-2016-0466)
A flaw was found in the way TLS 1.2 could use the MD5 hash function for
signing ServerKeyExchange and Client Authentication packets during a TLS
handshake. A man-in-the-middle attacker able to force a TLS connection to
use the MD5 hash function could use this flaw to conduct collision attacks
to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)
Multiple flaws were discovered in the Libraries, Networking, and JMX
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871,
CVE-2016-0402, CVE-2016-0448)
Note: This update also disallows the use of the MD5 hash algorithm in the
certification path processing. The use of MD5 can be re-enabled by removing
MD5 from the jdk.certpath.disabledAlgorithms security property defined in
the java.security file.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-21"/>
<updated date="2016-01-21"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-4871">CVE-2015-4871</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7575">CVE-2015-7575</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0402">CVE-2016-0402</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0448">CVE-2016-0448</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0466">CVE-2016-0466</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0483">CVE-2016-0483</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0494">CVE-2016-0494</cve>
<bugzilla href="https://bugzilla.redhat.com/1273859" id="1273859">CVE-2015-4871 OpenJDK: protected methods can be used as interface methods via DirectMethodHandle (Libraries)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1289841" id="1289841">CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298906" id="1298906">CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298957" id="1298957">CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299073" id="1299073">CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299385" id="1299385">CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299441" id="1299441">CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.95-2.6.4.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160054008"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20160054009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.95-2.6.4.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160054004"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20160054005"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.95-2.6.4.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160054010"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20160054011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.95-2.6.4.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160054002"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20160054003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.95-2.6.4.1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160054006"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20160054007"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054020"/>
<criterion comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054016"/>
<criterion comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675018"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054026"/>
<criterion comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054022"/>
<criterion comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675016"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054024"/>
<criterion comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054028"/>
<criterion comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675014"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.95-2.6.4.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160054018"/>
<criterion comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140675008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160063" version="601">
<metadata>
<title>RHSA-2016:0063: ntp security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0063-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0063.html" source="RHSA"/>
<reference ref_id="CVE-2015-8138" ref_url="https://access.redhat.com/security/cve/CVE-2015-8138" source="CVE"/>
<description>The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.
It was discovered that ntpd as a client did not correctly check the
originate timestamp in received packets. A remote attacker could use this
flaw to send a crafted packet to an ntpd client that would effectively
disable synchronization with the server, or push arbitrary offset/delay
measurements to modify the time on the client. (CVE-2015-8138)
All ntp users are advised to upgrade to these updated packages, which
contain a backported patch to resolve this issue. After installing the
update, the ntpd daemon will restart automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-25"/>
<updated date="2016-01-25"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8138">CVE-2015-8138</cve>
<bugzilla href="https://bugzilla.redhat.com/1299442" id="1299442">CVE-2015-8138 ntp: missing check for zero originate timestamp</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-5.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160063007"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-5.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160063011"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-5.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160063005"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-5.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160063009"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="ntp is earlier than 0:4.2.6p5-22.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20160063020"/>
<criterion comment="ntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024006"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-doc is earlier than 0:4.2.6p5-22.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20160063021"/>
<criterion comment="ntp-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024010"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntp-perl is earlier than 0:4.2.6p5-22.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20160063022"/>
<criterion comment="ntp-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024014"/>
</criteria>
<criteria operator="AND">
<criterion comment="ntpdate is earlier than 0:4.2.6p5-22.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20160063017"/>
<criterion comment="ntpdate is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024012"/>
</criteria>
<criteria operator="AND">
<criterion comment="sntp is earlier than 0:4.2.6p5-22.el7_2.1" test_ref="oval:com.redhat.rhsa:tst:20160063018"/>
<criterion comment="sntp is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20142024008"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160064" version="601">
<metadata>
<title>RHSA-2016:0064: kernel security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0064-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0064.html" source="RHSA"/>
<reference ref_id="CVE-2016-0728" ref_url="https://access.redhat.com/security/cve/CVE-2016-0728" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A use-after-free flaw was found in the way the Linux kernel's key
management subsystem handled keyring object reference counting in certain
error path of the join_session_keyring() function. A local, unprivileged
user could use this flaw to escalate their privileges on the system.
(CVE-2016-0728, Important)
Red Hat would like to thank the Perception Point research team for
reporting this issue.
All kernel users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-25"/>
<updated date="2016-01-25"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0728">CVE-2016-0728</cve>
<bugzilla href="https://bugzilla.redhat.com/1297475" id="1297475">CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064023"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064005"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064027"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064019"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064009"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064025"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064007"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064011"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064013"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064017"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064029"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064033"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064031"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064015"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-327.4.5.el7" test_ref="oval:com.redhat.rhsa:tst:20160064021"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160065" version="601">
<metadata>
<title>RHSA-2016:0065: kernel-rt security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0065-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0065.html" source="RHSA"/>
<reference ref_id="CVE-2016-0728" ref_url="https://access.redhat.com/security/cve/CVE-2016-0728" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* A use-after-free flaw was found in the way the Linux kernel's key
management subsystem handled keyring object reference counting in certain
error path of the join_session_keyring() function. A local, unprivileged
user could use this flaw to escalate their privileges on the system.
(CVE-2016-0728, Important)
Red Hat would like to thank the Perception Point research team for
reporting this issue.
All kernel-rt users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-25"/>
<updated date="2016-01-25"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0728">CVE-2016-0728</cve>
<bugzilla href="https://bugzilla.redhat.com/1297475" id="1297475">CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065015"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065021"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065023"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-kvm is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065019"/>
<criterion comment="kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065013"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-kvm is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065011"/>
<criterion comment="kernel-rt-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065007"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065009"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-kvm is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160065017"/>
<criterion comment="kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160067" version="601">
<metadata>
<title>RHSA-2016:0067: java-1.6.0-openjdk security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0067-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0067.html" source="RHSA"/>
<reference ref_id="CVE-2016-0402" ref_url="https://access.redhat.com/security/cve/CVE-2016-0402" source="CVE"/>
<reference ref_id="CVE-2016-0448" ref_url="https://access.redhat.com/security/cve/CVE-2016-0448" source="CVE"/>
<reference ref_id="CVE-2016-0466" ref_url="https://access.redhat.com/security/cve/CVE-2016-0466" source="CVE"/>
<reference ref_id="CVE-2016-0483" ref_url="https://access.redhat.com/security/cve/CVE-2016-0483" source="CVE"/>
<reference ref_id="CVE-2016-0494" ref_url="https://access.redhat.com/security/cve/CVE-2016-0494" source="CVE"/>
<description>The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
An out-of-bounds write flaw was found in the JPEG image format decoder in
the AWT component in OpenJDK. A specially crafted JPEG image could cause
a Java application to crash or, possibly execute arbitrary code. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2016-0483)
An integer signedness issue was found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could possibly cause
the Java Virtual Machine to execute arbitrary code, allowing an untrusted
Java application or applet to bypass Java sandbox restrictions.
(CVE-2016-0494)
It was discovered that the JAXP component in OpenJDK did not properly
enforce the totalEntitySizeLimit limit. An attacker able to make a Java
application process a specially crafted XML file could use this flaw to
make the application consume an excessive amount of memory. (CVE-2016-0466)
Multiple flaws were discovered in the Networking and JMX components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448)
Note: This update also disallows the use of the MD5 hash algorithm in the
certification path processing. The use of MD5 can be re-enabled by removing
MD5 from the jdk.certpath.disabledAlgorithms security property defined in
the java.security file.
All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-26"/>
<updated date="2016-01-26"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0402">CVE-2016-0402</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0448">CVE-2016-0448</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0466">CVE-2016-0466</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0483">CVE-2016-0483</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0494">CVE-2016-0494</cve>
<bugzilla href="https://bugzilla.redhat.com/1298906" id="1298906">CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298957" id="1298957">CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299073" id="1299073">CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299385" id="1299385">CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299441" id="1299441">CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.38-1.13.10.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160067002"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907003"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.38-1.13.10.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160067008"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907011"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.38-1.13.10.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160067010"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907009"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.38-1.13.10.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160067006"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907007"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.38-1.13.10.0.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160067004"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140907005"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.38-1.13.10.0.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160067024"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.38-1.13.10.0.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160067018"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.38-1.13.10.0.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160067016"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.38-1.13.10.0.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160067022"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.38-1.13.10.0.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160067020"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk is earlier than 1:1.6.0.38-1.13.10.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160067032"/>
<criterion comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685006"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.38-1.13.10.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160067031"/>
<criterion comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685008"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.38-1.13.10.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160067033"/>
<criterion comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685012"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.38-1.13.10.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160067034"/>
<criterion comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685010"/>
</criteria>
<criteria operator="AND">
<criterion comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.38-1.13.10.0.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160067030"/>
<criterion comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140685014"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160071" version="601">
<metadata>
<title>RHSA-2016:0071: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2016:0071-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0071.html" source="RHSA"/>
<reference ref_id="CVE-2016-1930" ref_url="https://access.redhat.com/security/cve/CVE-2016-1930" source="CVE"/>
<reference ref_id="CVE-2016-1935" ref_url="https://access.redhat.com/security/cve/CVE-2016-1935" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2016-1930, CVE-2016-1935)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bob Clary, Christian Holler, Nils Ohlmeier, Gary
Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, and Aki Helin as the
original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.6.0 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-27"/>
<updated date="2016-01-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1930">CVE-2016-1930</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1935">CVE-2016-1935</cve>
<bugzilla href="https://bugzilla.redhat.com/1301818" id="1301818">CVE-2016-1930 Mozilla: Miscellaneous memory safety hazards (rv:38.6) (MFSA 2016-01)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1301821" id="1301821">CVE-2016-1935 Mozilla: Buffer overflow in WebGL after out of memory allocation (MFSA 2016-03)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.6.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160071002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.6.0-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160071008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.6.0-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160071014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160073" version="601">
<metadata>
<title>RHSA-2016:0073: bind security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="RHSA-2016:0073-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0073.html" source="RHSA"/>
<reference ref_id="CVE-2015-8704" ref_url="https://access.redhat.com/security/cve/CVE-2015-8704" source="CVE"/>
<description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain
Name System (DNS) protocols. BIND includes a DNS server (named); a resolver
library (routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating correctly.
A denial of service flaw was found in the way BIND processed certain
malformed Address Prefix List (APL) records. A remote, authenticated
attacker could use this flaw to cause named to crash. (CVE-2015-8704)
Red Hat would like to thank ISC for reporting this issue.
All bind users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
update, the BIND daemon (named) will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-27"/>
<updated date="2016-01-27"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-8704">CVE-2015-8704</cve>
<bugzilla href="https://bugzilla.redhat.com/1299364" id="1299364">CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073014"/>
<criterion comment="bind is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984003"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073010"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984007"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073004"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984015"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073006"/>
<criterion comment="bind-libbind-devel is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984013"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073008"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984011"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073012"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984005"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073002"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984009"/>
</criteria>
<criteria operator="AND">
<criterion comment="caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.6" test_ref="oval:com.redhat.rhsa:tst:20160073016"/>
<criterion comment="caching-nameserver is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20141984017"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.6" test_ref="oval:com.redhat.rhsa:tst:20160073028"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.6" test_ref="oval:com.redhat.rhsa:tst:20160073032"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.6" test_ref="oval:com.redhat.rhsa:tst:20160073022"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.6" test_ref="oval:com.redhat.rhsa:tst:20160073026"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.6" test_ref="oval:com.redhat.rhsa:tst:20160073030"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.6" test_ref="oval:com.redhat.rhsa:tst:20160073024"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="bind is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073038"/>
<criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-chroot is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073045"/>
<criterion comment="bind-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984025"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-devel is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073039"/>
<criterion comment="bind-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984031"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073046"/>
<criterion comment="bind-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984033"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-libs-lite is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073056"/>
<criterion comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984041"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-license is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073058"/>
<criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984029"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-lite-devel is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073042"/>
<criterion comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984039"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11 is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073054"/>
<criterion comment="bind-pkcs11 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655032"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11-devel is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073040"/>
<criterion comment="bind-pkcs11-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655028"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11-libs is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073052"/>
<criterion comment="bind-pkcs11-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655030"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-pkcs11-utils is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073050"/>
<criterion comment="bind-pkcs11-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152655023"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073044"/>
<criterion comment="bind-sdb is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984027"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-sdb-chroot is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073047"/>
<criterion comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984035"/>
</criteria>
<criteria operator="AND">
<criterion comment="bind-utils is earlier than 32:9.9.4-29.el7_2.2" test_ref="oval:com.redhat.rhsa:tst:20160073049"/>
<criterion comment="bind-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141984037"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160083" version="603">
<metadata>
<title>RHSA-2016:0083: qemu-kvm security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0083-02" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0083.html" source="RHSA"/>
<reference ref_id="CVE-2016-1714" ref_url="https://access.redhat.com/security/cve/CVE-2016-1714" source="CVE"/>
<description>KVM (Kernel-based Virtual Machine) is a full virtualization solution for
Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the
user-space component for running virtual machines using KVM.
An out-of-bounds read/write flaw was discovered in the way QEMU's Firmware
Configuration device emulation processed certain firmware configurations.
A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the
QEMU process instance or, potentially, execute arbitrary code on the host
with privileges of the QEMU process. (CVE-2016-1714)
Red Hat would like to thank Donghai Zhu of Alibaba for reporting this
issue.
This update also fixes the following bugs:
* Incorrect handling of the last sector of an image file could trigger an
assertion failure in qemu-img. This update changes the handling of the last
sector, and no assertion failure occurs. (BZ#1298828)
All qemu-kvm users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, shut down all running virtual machines. Once all virtual machines
have shut down, start them again for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-01-28"/>
<updated date="2016-01-28"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1714">CVE-2016-1714</cve>
<bugzilla href="https://bugzilla.redhat.com/1296060" id="1296060">CVE-2016-1714 Qemu: nvram: OOB r/w access in processing firmware configurations</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298828" id="1298828">[abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="libcacard is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083007"/>
<criterion comment="libcacard is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704008"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-devel is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083005"/>
<criterion comment="libcacard-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704010"/>
</criteria>
<criteria operator="AND">
<criterion comment="libcacard-tools is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083015"/>
<criterion comment="libcacard-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704016"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-img is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083011"/>
<criterion comment="qemu-img is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704014"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083017"/>
<criterion comment="qemu-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704006"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-common is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083013"/>
<criterion comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704018"/>
</criteria>
<criteria operator="AND">
<criterion comment="qemu-kvm-tools is earlier than 10:1.5.3-105.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160083009"/>
<criterion comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140704020"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160176" version="601">
<metadata>
<title>RHSA-2016:0176: glibc security and bug fix update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0176-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0176.html" source="RHSA"/>
<reference ref_id="CVE-2015-5229" ref_url="https://access.redhat.com/security/cve/CVE-2015-5229" source="CVE"/>
<reference ref_id="CVE-2015-7547" ref_url="https://access.redhat.com/security/cve/CVE-2015-7547" source="CVE"/>
<description>The glibc packages provide the standard C libraries (libc), POSIX
thread libraries (libpthread), standard math libraries (libm), and the
name service cache daemon (nscd) used by multiple programs on the
system. Without these libraries, the Linux system cannot function
correctly.
A stack-based buffer overflow was found in the way the libresolv library
performed dual A/AAAA DNS queries. A remote attacker could create a
specially crafted DNS response which could cause libresolv to crash or,
potentially, execute code with the permissions of the user running the
library. Note: this issue is only exposed when libresolv is called from the
nss_dns NSS service module. (CVE-2015-7547)
It was discovered that the calloc implementation in glibc could return
memory areas which contain non-zero bytes. This could result in unexpected
application behavior such as hangs or crashes. (CVE-2015-5229)
The CVE-2015-7547 issue was discovered by the Google Security Team and Red
Hat. Red Hat would like to thank Jeff Layton for reporting the
CVE-2015-5229 issue.
This update also fixes the following bugs:
* The existing implementation of the "free" function causes all memory
pools beyond the first to return freed memory directly to the operating
system as quickly as possible. This can result in performance degradation
when the rate of free calls is very high. The first memory pool (the main
pool) does provide a method to rate limit the returns via M_TRIM_THRESHOLD,
but this method is not available to subsequent memory pools.
With this update, the M_TRIM_THRESHOLD method is extended to apply to all
memory pools, which improves performance for threads with very high amounts
of free calls and limits the number of "madvise" system calls. The change
also increases the total transient memory usage by processes because the
trim threshold must be reached before memory can be freed.
To return to the previous behavior, you can either set M_TRIM_THRESHOLD
using the "mallopt" function, or set the MALLOC_TRIM_THRESHOLD environment
variable to 0. (BZ#1298930)
* On the little-endian variant of 64-bit IBM Power Systems (ppc64le), a bug
in the dynamic loader could cause applications compiled with profiling
enabled to fail to start with the error "monstartup: out of memory".
The bug has been corrected and applications compiled for profiling now
start correctly. (BZ#1298956)
All glibc users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5229">CVE-2015-5229</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7547">CVE-2015-7547</cve>
<bugzilla href="https://bugzilla.redhat.com/1256285" id="1256285">CVE-2015-5229 glibc: calloc may return non-zero memory</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1293532" id="1293532">CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1298956" id="1298956">"monstartup: out of memory" on PPC64LE [rhel-7.2.z]</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="glibc is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176009"/>
<criterion comment="glibc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110019"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-common is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176011"/>
<criterion comment="glibc-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110025"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-devel is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176017"/>
<criterion comment="glibc-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110023"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-headers is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176005"/>
<criterion comment="glibc-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110021"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-static is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176007"/>
<criterion comment="glibc-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110027"/>
</criteria>
<criteria operator="AND">
<criterion comment="glibc-utils is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176013"/>
<criterion comment="glibc-utils is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110029"/>
</criteria>
<criteria operator="AND">
<criterion comment="nscd is earlier than 0:2.17-106.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160176015"/>
<criterion comment="nscd is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141110031"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160185" version="601">
<metadata>
<title>RHSA-2016:0185: kernel security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0185-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0185.html" source="RHSA"/>
<reference ref_id="CVE-2015-5157" ref_url="https://access.redhat.com/security/cve/CVE-2015-5157" source="CVE"/>
<reference ref_id="CVE-2015-7872" ref_url="https://access.redhat.com/security/cve/CVE-2015-7872" source="CVE"/>
<description>The kernel packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's keys subsystem did not correctly
garbage collect uninstantiated keyrings. A local attacker could use this
flaw to crash the system or, potentially, escalate their privileges on the
system. (CVE-2015-7872, Important)
* A flaw was found in the way the Linux kernel handled IRET faults during
the processing of NMIs. An unprivileged, local user could use this flaw to
crash the system or, potentially (although highly unlikely), escalate their
privileges on the system. (CVE-2015-5157, Moderate)
This update also fixes the following bugs:
* Previously, processing packets with a lot of different IPv6 source
addresses caused the kernel to return warnings concerning soft-lockups due
to high lock contention and latency increase. With this update, lock
contention is reduced by backing off concurrent waiting threads on the
lock. As a result, the kernel no longer issues warnings in the described
scenario. (BZ#1285370)
* Prior to this update, block device readahead was artificially limited.
As a consequence, the read performance was poor, especially on RAID
devices. Now, per-device readahead limits are used for each device instead
of a global limit. As a result, read performance has improved, especially
on RAID devices. (BZ#1287550)
* After injecting an EEH error, the host was previously not recovering and
observing I/O hangs in HTX tool logs. This update makes sure that when one
or both of EEH_STATE_MMIO_ACTIVE and EEH_STATE_MMIO_ENABLED flags is marked
in the PE state, the PE's IO path is regarded as enabled as well. As a
result, the host no longer hangs and recovers as expected. (BZ#1289101)
* The genwqe device driver was previously using the GFP_ATOMIC flag for
allocating consecutive memory pages from the kernel's atomic memory pool,
even in non-atomic situations. This could lead to allocation failures
during memory pressure. With this update, the genwqe driver's memory
allocations use the GFP_KERNEL flag, and the driver can allocate memory
even during memory pressure situations. (BZ#1289450)
* The nx842 co-processor for IBM Power Systems could in some circumstances
provide invalid data due to a data corruption bug during uncompression.
With this update, all compression and uncompression calls to the nx842
co-processor contain a cyclic redundancy check (CRC) flag, which forces all
compression and uncompression operations to check data integrity and
prevents the co-processor from providing corrupted data. (BZ#1289451)
* A failed "updatepp" operation on the little-endian variant of IBM Power
Systems could previously cause a wrong hash value to be used for the next
hash insert operation in the page table. This could result in a missing
hash pte update or invalidate operation, potentially causing memory
corruption. With this update, the hash value is always recalculated after a
failed "updatepp" operation, avoiding memory corruption. (BZ#1289452)
* Large Receive Offload (LRO) flag disabling was not being propagated
downwards from above devices in vlan and bond hierarchy, breaking the flow
of traffic. This problem has been fixed and LRO flags now propagate
correctly. (BZ#1292072)
* Due to rounding errors in the CPU frequency of the intel_pstate driver,
the CPU frequency never reached the value requested by the user. A kernel
patch has been applied to fix these rounding errors. (BZ#1296276)
* When running several containers (up to 100), reports of hung tasks were
previously reported. This update fixes the AB-BA deadlock in the
dm_destroy() function, and the hung reports no longer occur. (BZ#1296566)
All kernel users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5157">CVE-2015-5157</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7872">CVE-2015-7872</cve>
<bugzilla href="https://bugzilla.redhat.com/1259577" id="1259577">CVE-2015-5157 kernel: x86-64: IRET faults during NMIs processing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272371" id="1272371">CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185021"/>
<criterion comment="kernel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185005"/>
<criterion comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678034"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-bootwrapper is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185027"/>
<criterion comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678026"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185019"/>
<criterion comment="kernel-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-debug-devel is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185015"/>
<criterion comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678018"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-devel is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185023"/>
<criterion comment="kernel-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-doc is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185007"/>
<criterion comment="kernel-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678032"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-headers is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185017"/>
<criterion comment="kernel-headers is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185025"/>
<criterion comment="kernel-kdump is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678028"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-kdump-devel is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185013"/>
<criterion comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678030"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185029"/>
<criterion comment="kernel-tools is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185033"/>
<criterion comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185031"/>
<criterion comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678020"/>
</criteria>
<criteria operator="AND">
<criterion comment="perf is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185011"/>
<criterion comment="perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678014"/>
</criteria>
<criteria operator="AND">
<criterion comment="python-perf is earlier than 0:3.10.0-327.10.1.el7" test_ref="oval:com.redhat.rhsa:tst:20160185009"/>
<criterion comment="python-perf is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140678016"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160188" version="601">
<metadata>
<title>RHSA-2016:0188: sos security and bug fix update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0188-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0188.html" source="RHSA"/>
<reference ref_id="CVE-2015-7529" ref_url="https://access.redhat.com/security/cve/CVE-2015-7529" source="CVE"/>
<description>The sos package contains a set of utilities that gather information from
system hardware, logs, and configuration files. The information can then be
used for diagnostic purposes and debugging.
An insecure temporary file use flaw was found in the way sos created
certain sosreport files. A local attacker could possibly use this flaw to
perform a symbolic link attack to reveal the contents of sosreport files,
or in some cases modify arbitrary files and escalate their privileges on
the system. (CVE-2015-7529)
This issue was discovered by Mateusz Guzik of Red Hat.
This update also fixes the following bug:
* Previously, the sosreport tool was not collecting the /var/lib/ceph and
/var/run/ceph directories when run with the ceph plug-in enabled, causing
the generated sosreport archive to miss vital troubleshooting information
about ceph. With this update, the ceph plug-in for sosreport collects these
directories, and the generated report contains more useful information.
(BZ#1291347)
All users of sos are advised to upgrade to this updated package, which
contains backported patches to correct these issues.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7529">CVE-2015-7529</cve>
<bugzilla href="https://bugzilla.redhat.com/1282542" id="1282542">CVE-2015-7529 sos: Usage of predictable temporary files allows privilege escalation</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criterion comment="sos is earlier than 0:3.2-35.el7_2.3" test_ref="oval:com.redhat.rhsa:tst:20160188005"/>
<criterion comment="sos is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160188006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160189" version="601">
<metadata>
<title>RHSA-2016:0189: polkit security update (Moderate)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0189-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0189.html" source="RHSA"/>
<reference ref_id="CVE-2015-3256" ref_url="https://access.redhat.com/security/cve/CVE-2015-3256" source="CVE"/>
<description>PolicyKit is a toolkit for defining and handling authorizations.
A denial of service flaw was found in how polkit handled authorization
requests. A local, unprivileged user could send malicious requests to
polkit, which could then cause the polkit daemon to corrupt its memory and
crash. (CVE-2015-3256)
All polkit users should upgrade to these updated packages, which contain a
backported patch to correct this issue. The system must be rebooted for
this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Moderate</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3256">CVE-2015-3256</cve>
<bugzilla href="https://bugzilla.redhat.com/1245684" id="1245684">CVE-2015-3256 polkit: Memory corruption via javascript rule evaluation</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="polkit is earlier than 0:0.112-6.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160189005"/>
<criterion comment="polkit is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160189006"/>
</criteria>
<criteria operator="AND">
<criterion comment="polkit-devel is earlier than 0:0.112-6.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160189007"/>
<criterion comment="polkit-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160189008"/>
</criteria>
<criteria operator="AND">
<criterion comment="polkit-docs is earlier than 0:0.112-6.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160189009"/>
<criterion comment="polkit-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20160189010"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160197" version="601">
<metadata>
<title>RHSA-2016:0197: firefox security update (Critical)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0197-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0197.html" source="RHSA"/>
<reference ref_id="CVE-2016-1521" ref_url="https://access.redhat.com/security/cve/CVE-2016-1521" source="CVE"/>
<reference ref_id="CVE-2016-1522" ref_url="https://access.redhat.com/security/cve/CVE-2016-1522" source="CVE"/>
<reference ref_id="CVE-2016-1523" ref_url="https://access.redhat.com/security/cve/CVE-2016-1523" source="CVE"/>
<description>Mozilla Firefox is an open source web browser. XULRunner provides the XUL
Runtime environment for Mozilla Firefox.
Multiple security flaws were found in the graphite2 font library shipped
with Firefox. A web page containing malicious content could cause Firefox
to crash or, potentially, execute arbitrary code with the privileges of the
user running Firefox. (CVE-2016-1521, CVE-2016-1522, CVE-2016-1523)
All Firefox users should upgrade to these updated packages, which contain
Firefox version 38.6.1 ESR, which corrects these issues. After installing
the update, Firefox must be restarted for the changes to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Critical</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1521">CVE-2016-1521</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1522">CVE-2016-1522</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1523">CVE-2016-1523</cve>
<bugzilla href="https://bugzilla.redhat.com/1305805" id="1305805">CVE-2016-1521 graphite2: Out-of-bound read vulnerability triggered by crafted fonts</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1305810" id="1305810">CVE-2016-1522 graphite2: Null pointer dereference and out-of-bounds access vulnerabilities</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1305813" id="1305813">CVE-2016-1523 graphite2: Heap-based buffer overflow in context item handling functionality</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1306496" id="1306496">Mozilla: Vulnerabilities in Graphite 2 (MFSA 2016-14)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="firefox is earlier than 0:38.6.1-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160197002"/>
<criterion comment="firefox is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20140741003"/>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.6.1-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160197008"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="firefox is earlier than 0:38.6.1-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160197014"/>
<criterion comment="firefox is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140741009"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160204" version="601">
<metadata>
<title>RHSA-2016:0204: 389-ds-base security and bug fix update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0204-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0204.html" source="RHSA"/>
<reference ref_id="CVE-2016-0741" ref_url="https://access.redhat.com/security/cve/CVE-2016-0741" source="CVE"/>
<description>The 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server.
The base packages include the Lightweight Directory Access Protocol (LDAP)
server and command-line utilities for server administration.
An infinite-loop vulnerability was discovered in the 389 directory server,
where the server failed to correctly handle unexpectedly closed client
connections. A remote attacker able to connect to the server could use this
flaw to make the directory server consume an excessive amount of CPU and
stop accepting connections (denial of service). (CVE-2016-0741)
This update fixes the following bugs:
* Previously, if a simple paged results search failed in the back end, the
simple paged results slot was not released. Consequently, the simple paged
results slots in a connection object could be accumulated. With this
update, the simple paged results slot is released correctly when a search
fails, and unused simple paged results slots are no longer left in a
connection object. (BZ#1290725)
* Previously, when several values of the same attribute were deleted using
the ldapmodify command, and at least one of them was added again during the
same operation, the equality index was not updated. As a consequence, an
exact search for the re-added attribute value did not return the entry. The
logic of the index code has been modified to update the index if at least
one of the values in the entry changes, and the exact search for the
re-added attribute value now returns the correct entry. (BZ#1290726)
* Prior to this update, when the cleanAllRUV task was running, a bogus
attrlist_replace error message was logged repeatedly due to a memory
corruption. With this update, the appropriate memory copy function memmove
is used, which fixes the memory corruption. As a result, the error messages
are no longer logged in this scenario. (BZ#1295684)
* To fix a simple paged results bug, an exclusive lock on a connection was
previously added. This consequently caused a self deadlock in a particular
case. With this update, the exclusive lock on a connection has been changed
to the re-entrant type, and the self deadlock no longer occurs.
(BZ#1298105)
* Previously, an unnecessary lock was sometimes acquired on a connection
object, which could consequently cause a deadlock. A patch has been applied
to remove the unnecessary locking, and the deadlock no longer occurs.
(BZ#1299346)
Users of 389-ds-base are advised to upgrade to these updated packages,
which correct these issues. After installing this update, the 389 server
service will be restarted automatically.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0741">CVE-2016-0741</cve>
<bugzilla href="https://bugzilla.redhat.com/1290725" id="1290725">SimplePagedResults -- in the search error case, simple paged results slot was not released.</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1290726" id="1290726">The 'eq' index does not get updated properly when deleting and re-adding attributes in the same ldapmodify operation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1295684" id="1295684">many attrlist_replace errors in connection with cleanallruv</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299346" id="1299346">deadlock on connection mutex</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1299416" id="1299416">CVE-2016-0741 389-ds-base: worker threads do not detect abnormally closed connections causing DoS</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="389-ds-base is earlier than 0:1.3.4.0-26.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160204007"/>
<criterion comment="389-ds-base is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031006"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-devel is earlier than 0:1.3.4.0-26.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160204005"/>
<criterion comment="389-ds-base-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031010"/>
</criteria>
<criteria operator="AND">
<criterion comment="389-ds-base-libs is earlier than 0:1.3.4.0-26.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160204009"/>
<criterion comment="389-ds-base-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20141031008"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160212" version="601">
<metadata>
<title>RHSA-2016:0212: kernel-rt security, bug fix, and enhancement update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0212-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0212.html" source="RHSA"/>
<reference ref_id="CVE-2015-5157" ref_url="https://access.redhat.com/security/cve/CVE-2015-5157" source="CVE"/>
<reference ref_id="CVE-2015-7872" ref_url="https://access.redhat.com/security/cve/CVE-2015-7872" source="CVE"/>
<description>The kernel-rt packages contain the Linux kernel, the core of any Linux
operating system.
* It was found that the Linux kernel's keys subsystem did not correctly
garbage collect uninstantiated keyrings. A local attacker could use this
flaw to crash the system or, potentially, escalate their privileges on the
system. (CVE-2015-7872, Important)
* A flaw was found in the way the Linux kernel handled IRET faults during
the processing of NMIs. An unprivileged, local user could use this flaw to
crash the system or, potentially (although highly unlikely), escalate their
privileges on the system. (CVE-2015-5157, Moderate)
The kernel-rt packages have been upgraded to version 3.10.0-327.10.1, which
provides a number of bug fixes and enhancements, including:
* [md] dm: fix AB-BA deadlock in __dm_destroy()
* [md] revert "dm-mpath: fix stalls when handling invalid ioctl
* [cpufreq] intel_pstate: Fix limits->max_perf and limits->max_policy_pct
rounding errors
* [cpufreq] revert "intel_pstate: fix rounding error in max_freq_pct"
* [crypto] nx: 842 - Add CRC and validation support
* [of] return NUMA_NO_NODE from fallback of_node_to_nid()
(BZ#1282591)
This update also fixes the following bugs:
* Because the realtime kernel replaces most of the spinlocks with
rtmutexes, the locking scheme used in both NAPI polling and busy polling
could become out of synchronization with the State Machine they protected.
This could cause system performance degradation or even a livelock
situation when a machine with faster NICs (10g or 40g) was subject to a
heavy pressure receiving network packets. The locking schemes on NAPI
polling and busy polling routines have been hardened to enforce the State
machine sanity to help ensure the system continues to function properly
under pressure. (BZ#1293230)
* A possible livelock in the NAPI polling and busy polling routines could
lead the system to a livelock on threads running at high, realtime,
priorities. The threads running at priorities lower than the ones of the
threads involved in the livelock were prevented from running on the CPUs
affected by the livelock. Among those lower priority threads are the rcuc/
threads. With this update, right before (4 jiffies) a RCU stall is
detected, the rcuc/ threads on the CPUs facing the livelock have their
priorities boosted above the priority of the threads involved in the
livelock. The softirq code has also been updated to be more robust.
These modifications allow the rcuc/ threads to execute even under system
pressure, mitigating the RCU stalls. (BZ#1293229)
* Multiple CPUs trying to take an rq lock previously caused large latencies
on machines with many CPUs. On systems with more than 32 cores, this update
uses the "push" rather than "pull" approach and provides multiple changes
to the scheduling of rq locks. As a result, machines no longer suffer from
multiplied latencies on large CPU systems. (BZ#1282597)
* Previously, the SFC driver for 10 GB cards executed polling in NAPI mode,
using a locking mechanism similar to a "trylock". Consequently, when
running on a Realtime kernel, a livelock could occur. This update modifies
the locking mechanism so that once the lock is taken it is not released
until the operation is complete. (BZ#1282609)
All kernel-rt users are advised to upgrade to these updated packages, which
correct these issues and add these enhancements. The system must be
rebooted for this update to take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-16"/>
<updated date="2016-02-16"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-5157">CVE-2015-5157</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2015-7872">CVE-2015-7872</cve>
<bugzilla href="https://bugzilla.redhat.com/1259577" id="1259577">CVE-2015-5157 kernel: x86-64: IRET faults during NMIs processing</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1272371" id="1272371">CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1282591" id="1282591">kernel-rt: update to the RHEL7.2.z batch 2 source tree</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1293229" id="1293229">RCU stalls message on realtime kernel</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1293230" id="1293230">rt: netpoll: live lock with NAPI polling and busy polling on realtime kernel</bugzilla>
<affected_cpe_list>
<cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="kernel-rt is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212023"/>
<criterion comment="kernel-rt is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727006"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212007"/>
<criterion comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727014"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-devel is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212017"/>
<criterion comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727016"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-debug-kvm is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212019"/>
<criterion comment="kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-devel is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212011"/>
<criterion comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727012"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-doc is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212005"/>
<criterion comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727022"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-kvm is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212009"/>
<criterion comment="kernel-rt-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411024"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212015"/>
<criterion comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727008"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-devel is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212021"/>
<criterion comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150727010"/>
</criteria>
<criteria operator="AND">
<criterion comment="kernel-rt-trace-kvm is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160212013"/>
<criterion comment="kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20152411014"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160258" version="602">
<metadata>
<title>RHSA-2016:0258: thunderbird security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 5</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="RHSA-2016:0258-01" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0258.html" source="RHSA"/>
<reference ref_id="CVE-2016-1521" ref_url="https://access.redhat.com/security/cve/CVE-2016-1521" source="CVE"/>
<reference ref_id="CVE-2016-1522" ref_url="https://access.redhat.com/security/cve/CVE-2016-1522" source="CVE"/>
<reference ref_id="CVE-2016-1523" ref_url="https://access.redhat.com/security/cve/CVE-2016-1523" source="CVE"/>
<reference ref_id="CVE-2016-1930" ref_url="https://access.redhat.com/security/cve/CVE-2016-1930" source="CVE"/>
<reference ref_id="CVE-2016-1935" ref_url="https://access.redhat.com/security/cve/CVE-2016-1935" source="CVE"/>
<description>Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird. (CVE-2016-1930, CVE-2016-1935)
Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Bob Clary, Christian Holler, Nils Ohlmeier, Gary
Kwong, Jesse Ruderman, Carsten Book, Randell Jesup, and Aki Helin as the
original reporters of these issues.
For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 38.6.0. You can find a link to the Mozilla
advisories in the References section of this erratum.
All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 38.6.0, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-02-18"/>
<updated date="2016-02-18"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1521">CVE-2016-1521</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1522">CVE-2016-1522</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1523">CVE-2016-1523</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1930">CVE-2016-1930</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-1935">CVE-2016-1935</cve>
<bugzilla href="https://bugzilla.redhat.com/1301818" id="1301818">CVE-2016-1930 Mozilla: Miscellaneous memory safety hazards (rv:38.6) (MFSA 2016-01)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1301821" id="1301821">CVE-2016-1935 Mozilla: Buffer overflow in WebGL after out of memory allocation (MFSA 2016-03)</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
<cpe>cpe:/a:redhat:rhel_productivity:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:5</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:com.redhat.rhsa:tst:20140741001"/>
<criterion comment="thunderbird is earlier than 0:38.6.0-1.el5_11" test_ref="oval:com.redhat.rhsa:tst:20160258002"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease key" test_ref="oval:com.redhat.rhsa:tst:20150771003"/>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.6.0-1.el6_7" test_ref="oval:com.redhat.rhsa:tst:20160258008"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
</criteria>
<criteria operator="AND">
<criterion comment="thunderbird is earlier than 0:38.6.0-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160258014"/>
<criterion comment="thunderbird is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150642006"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160301" version="601">
<metadata>
<title>RHSA-2016:0301: openssl security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0301-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0301.html" source="RHSA"/>
<reference ref_id="CVE-2015-3197" ref_url="https://access.redhat.com/security/cve/CVE-2015-3197" source="CVE"/>
<reference ref_id="CVE-2016-0702" ref_url="https://access.redhat.com/security/cve/CVE-2016-0702" source="CVE"/>
<reference ref_id="CVE-2016-0705" ref_url="https://access.redhat.com/security/cve/CVE-2016-0705" source="CVE"/>
<reference ref_id="CVE-2016-0797" ref_url="https://access.redhat.com/security/cve/CVE-2016-0797" source="CVE"/>
<reference ref_id="CVE-2016-0800" ref_url="https://access.redhat.com/security/cve/CVE-2016-0800" source="CVE"/>
<description>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.
A padding oracle flaw was found in the Secure Sockets Layer version 2.0
(SSLv2) protocol. An attacker can potentially use this flaw to decrypt
RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol
version, allowing them to decrypt such connections. This cross-protocol
attack is publicly referred to as DROWN. (CVE-2016-0800)
Note: This issue was addressed by disabling the SSLv2 protocol by default
when using the 'SSLv23' connection methods, and removing support for weak
SSLv2 cipher suites. For more information, refer to the knowledge base
article linked to in the References section.
A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2
ciphers that have been disabled on the server. This could result in weak
SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to
man-in-the-middle attacks. (CVE-2015-3197)
A side-channel attack was found that makes use of cache-bank conflicts on
the Intel Sandy-Bridge microarchitecture. An attacker who has the ability
to control code in a thread running on the same hyper-threaded core as the
victim's thread that is performing decryption, could use this flaw to
recover RSA private keys. (CVE-2016-0702)
A double-free flaw was found in the way OpenSSL parsed certain malformed
DSA (Digital Signature Algorithm) private keys. An attacker could create
specially crafted DSA private keys that, when processed by an application
compiled against OpenSSL, could cause the application to crash.
(CVE-2016-0705)
An integer overflow flaw, leading to a NULL pointer dereference or a
heap-based memory corruption, was found in the way some BIGNUM functions of
OpenSSL were implemented. Applications that use these functions with large
untrusted input could crash or, potentially, execute arbitrary code.
(CVE-2016-0797)
Red Hat would like to thank the OpenSSL project for reporting these issues.
Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original
reporters of CVE-2016-0800 and CVE-2015-3197; Adam Langley
(Google/BoringSSL) as the original reporter of CVE-2016-0705; Yuval Yarom
(University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv
University), Nadia Heninger (University of Pennsylvania) as the original
reporters of CVE-2016-0702; and Guido Vranken as the original reporter of
CVE-2016-0797.
All openssl users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. For the update
to take effect, all services linked to the OpenSSL library must be
restarted, or the system rebooted.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-03-01"/>
<updated date="2016-03-01"/>
<cve href="https://access.redhat.com/security/cve/CVE-2015-3197">CVE-2015-3197</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0702">CVE-2016-0702</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0705">CVE-2016-0705</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0797">CVE-2016-0797</cve>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0800">CVE-2016-0800</cve>
<bugzilla href="https://bugzilla.redhat.com/1301846" id="1301846">CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1310593" id="1310593">CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1310596" id="1310596">CVE-2016-0705 OpenSSL: Double-free in DSA code</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1310599" id="1310599">CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation</bugzilla>
<bugzilla href="https://bugzilla.redhat.com/1311880" id="1311880">CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:6</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140741004"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140741005"/>
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140741006"/>
<criterion comment="Red Hat Enterprise Linux 6 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140741007"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 0:1.0.1e-42.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160301011"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 0:1.0.1e-42.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160301007"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 0:1.0.1e-42.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160301009"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 0:1.0.1e-42.el6_7.4" test_ref="oval:com.redhat.rhsa:tst:20160301005"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="openssl is earlier than 1:1.0.1e-51.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160301021"/>
<criterion comment="openssl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679006"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-devel is earlier than 1:1.0.1e-51.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160301022"/>
<criterion comment="openssl-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679008"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-libs is earlier than 1:1.0.1e-51.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160301017"/>
<criterion comment="openssl-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679014"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-perl is earlier than 1:1.0.1e-51.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160301019"/>
<criterion comment="openssl-perl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679010"/>
</criteria>
<criteria operator="AND">
<criterion comment="openssl-static is earlier than 1:1.0.1e-51.el7_2.4" test_ref="oval:com.redhat.rhsa:tst:20160301020"/>
<criterion comment="openssl-static is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20140679012"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>
<definition class="patch" id="oval:com.redhat.rhsa:def:20160346" version="601">
<metadata>
<title>RHSA-2016:0346: postgresql security update (Important)</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="RHSA-2016:0346-00" ref_url="https://rhn.redhat.com/errata/RHSA-2016-0346.html" source="RHSA"/>
<reference ref_id="CVE-2016-0773" ref_url="https://access.redhat.com/security/cve/CVE-2016-0773" source="CVE"/>
<description>PostgreSQL is an advanced object-relational database management system
(DBMS).
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the PostgreSQL handling code for regular expressions. A remote
attacker could use a specially crafted regular expression to cause
PostgreSQL to crash or possibly execute arbitrary code. (CVE-2016-0773)
Red Hat would like to thank PostgreSQL upstream for reporting this issue.
Upstream acknowledges Tom Lane and Greg Stark as the original reporters.
This update upgrades PostgreSQL to version 9.2.15. Refer to the Release
Notes linked to in the References section for a detailed list of changes
since the previous version.
All PostgreSQL users are advised to upgrade to these updated packages,
which correct this issue. If the postgresql service is running, it will
be automatically restarted after installing this update.</description>
<advisory from="secalert@redhat.com">
<severity>Important</severity>
<rights>Copyright 2016 Red Hat, Inc.</rights>
<issued date="2016-03-02"/>
<updated date="2016-03-02"/>
<cve href="https://access.redhat.com/security/cve/CVE-2016-0773">CVE-2016-0773</cve>
<bugzilla href="https://bugzilla.redhat.com/1303832" id="1303832">CVE-2016-0773 postgresql: case insensitive range handling integer overflow leading to buffer overflow</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20140675001"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:com.redhat.rhsa:tst:20140675002"/>
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:com.redhat.rhsa:tst:20140675003"/>
<criterion comment="Red Hat Enterprise Linux 7 ComputeNode is installed" test_ref="oval:com.redhat.rhsa:tst:20140675004"/>
</criteria>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="postgresql is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346005"/>
<criterion comment="postgresql is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750006"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-contrib is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346023"/>
<criterion comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750018"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-devel is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346021"/>
<criterion comment="postgresql-devel is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750014"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-docs is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346019"/>
<criterion comment="postgresql-docs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750016"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-libs is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346017"/>
<criterion comment="postgresql-libs is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750020"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plperl is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346015"/>
<criterion comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750012"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-plpython is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346009"/>
<criterion comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750008"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-pltcl is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346007"/>
<criterion comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750022"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-server is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346011"/>
<criterion comment="postgresql-server is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750010"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-test is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346013"/>
<criterion comment="postgresql-test is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750024"/>
</criteria>
<criteria operator="AND">
<criterion comment="postgresql-upgrade is earlier than 0:9.2.15-1.el7_2" test_ref="oval:com.redhat.rhsa:tst:20160346025"/>
<criterion comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhsa:tst:20150750037"/>
</criteria>
</criteria>
</criteria>
</definition>
</definitions>
<tests>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 Client is installed" id="oval:com.redhat.rhsa:tst:20140675001" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675001"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 Server is installed" id="oval:com.redhat.rhsa:tst:20140675002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 Workstation is installed" id="oval:com.redhat.rhsa:tst:20140675003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 ComputeNode is installed" id="oval:com.redhat.rhsa:tst:20140675004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.55-2.4.7.2.el7_0" id="oval:com.redhat.rhsa:tst:20140675017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140675018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.1.2.el7" id="oval:com.redhat.rhsa:tst:20140678033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140678003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140678034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-34.el7_0.3" id="oval:com.redhat.rhsa:tst:20140679005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140679003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140679006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.3" id="oval:com.redhat.rhsa:tst:20140679007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140679003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140679008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.3" id="oval:com.redhat.rhsa:tst:20140679009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140679003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140679010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.3" id="oval:com.redhat.rhsa:tst:20140679011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140679003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140679012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.3" id="oval:com.redhat.rhsa:tst:20140679013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140679003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140679014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl098e is earlier than 0:0.9.8e-29.el7_0.2" id="oval:com.redhat.rhsa:tst:20140680005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140680005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140680003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl098e is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140680006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140680005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls is earlier than 0:3.1.18-9.el7_0" id="oval:com.redhat.rhsa:tst:20140684005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140684003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140684006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-dane is earlier than 0:3.1.18-9.el7_0" id="oval:com.redhat.rhsa:tst:20140684007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140684003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-dane is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140684008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-c++ is earlier than 0:3.1.18-9.el7_0" id="oval:com.redhat.rhsa:tst:20140684009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140684003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-c++ is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140684010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-utils is earlier than 0:3.1.18-9.el7_0" id="oval:com.redhat.rhsa:tst:20140684011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140684003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140684012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-devel is earlier than 0:3.1.18-9.el7_0" id="oval:com.redhat.rhsa:tst:20140684013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140684003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140684014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.3.el7_0" id="oval:com.redhat.rhsa:tst:20140685005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140685003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140685006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.3.el7_0" id="oval:com.redhat.rhsa:tst:20140685007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140685003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140685008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.3.el7_0" id="oval:com.redhat.rhsa:tst:20140685009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140685003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140685010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.3.el7_0" id="oval:com.redhat.rhsa:tst:20140685011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140685003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140685012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.3.el7_0" id="oval:com.redhat.rhsa:tst:20140685013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140685003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140685014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-webapps is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-webapps is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-lib is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-lib is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-javadoc is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-docs-webapp is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-docs-webapp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-admin-webapps is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-admin-webapps is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsp-2.2-api is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsp-2.2-api is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-servlet-3.0-api is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-servlet-3.0-api is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsvc is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsvc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-el-2.2-api is earlier than 0:7.0.42-5.el7_0" id="oval:com.redhat.rhsa:tst:20140686023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140686003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-el-2.2-api is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140686024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libtasn1 is earlier than 0:3.3-5.el7_0" id="oval:com.redhat.rhsa:tst:20140687005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140687005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140687003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libtasn1 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140687006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140687005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libtasn1-tools is earlier than 0:3.3-5.el7_0" id="oval:com.redhat.rhsa:tst:20140687007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140687006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140687003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libtasn1-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140687008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140687006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libtasn1-devel is earlier than 0:3.3-5.el7_0" id="oval:com.redhat.rhsa:tst:20140687009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140687007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140687003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libtasn1-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140687010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140687007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-libs is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded-devel is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702010" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-bench is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-bench is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702012" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-test is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-test is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702016" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-devel is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702018" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-server is earlier than 1:5.5.37-1.el7_0" id="oval:com.redhat.rhsa:tst:20140702019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140702003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140702020" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="json-c is earlier than 0:0.11-4.el7_0" id="oval:com.redhat.rhsa:tst:20140703005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140703005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140703003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="json-c is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140703006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140703005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="json-c-devel is earlier than 0:0.11-4.el7_0" id="oval:com.redhat.rhsa:tst:20140703007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140703006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140703003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="json-c-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140703008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140703006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="json-c-doc is earlier than 0:0.11-4.el7_0" id="oval:com.redhat.rhsa:tst:20140703009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140703007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140703003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="json-c-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140703010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140703007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-guest-agent is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.2" id="oval:com.redhat.rhsa:tst:20140704019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140704003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140704020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 5 is installed" id="oval:com.redhat.rhsa:tst:20140741001" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741001"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.6.0-1.el5_10" id="oval:com.redhat.rhsa:tst:20140741002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140741003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 6 Client is installed" id="oval:com.redhat.rhsa:tst:20140741004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675001"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 6 Server is installed" id="oval:com.redhat.rhsa:tst:20140741005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 6 Workstation is installed" id="oval:com.redhat.rhsa:tst:20140741006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 6 ComputeNode is installed" id="oval:com.redhat.rhsa:tst:20140741007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.6.0-1.el6_5" id="oval:com.redhat.rhsa:tst:20140741008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140741009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.6.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20140741014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:24.6.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20140741015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140741016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:24.6.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20140741017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140741018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.4.2.el7" id="oval:com.redhat.rhsa:tst:20140786033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140786003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot is earlier than 1:2.0.9-7.el6_5.1" id="oval:com.redhat.rhsa:tst:20140790005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140790006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-pigeonhole is earlier than 1:2.0.9-7.el6_5.1" id="oval:com.redhat.rhsa:tst:20140790007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-pigeonhole is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140790008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-mysql is earlier than 1:2.0.9-7.el6_5.1" id="oval:com.redhat.rhsa:tst:20140790009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-mysql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140790010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-devel is earlier than 1:2.0.9-7.el6_5.1" id="oval:com.redhat.rhsa:tst:20140790011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140790012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-pgsql is earlier than 1:2.0.9-7.el6_5.1" id="oval:com.redhat.rhsa:tst:20140790013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-pgsql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140790014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot is earlier than 1:2.2.10-4.el7_0.1" id="oval:com.redhat.rhsa:tst:20140790019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-pigeonhole is earlier than 1:2.2.10-4.el7_0.1" id="oval:com.redhat.rhsa:tst:20140790020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-mysql is earlier than 1:2.2.10-4.el7_0.1" id="oval:com.redhat.rhsa:tst:20140790021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="dovecot-pgsql is earlier than 1:2.2.10-4.el7_0.1" id="oval:com.redhat.rhsa:tst:20140790022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140790009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140790005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-docs-webapp is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-javadoc is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsvc is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-webapps is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-servlet-3.0-api is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-lib is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-el-2.2-api is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsp-2.2-api is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-admin-webapps is earlier than 0:7.0.42-6.el7_0" id="oval:com.redhat.rhsa:tst:20140827023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo is earlier than 0:2.03-3.1.el6_5.1" id="oval:com.redhat.rhsa:tst:20140861005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140861006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo-minilzo is earlier than 0:2.03-3.1.el6_5.1" id="oval:com.redhat.rhsa:tst:20140861007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo-minilzo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140861008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo-devel is earlier than 0:2.03-3.1.el6_5.1" id="oval:com.redhat.rhsa:tst:20140861009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140861010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo is earlier than 0:2.06-6.el7_0.2" id="oval:com.redhat.rhsa:tst:20140861015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140861005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo-minilzo is earlier than 0:2.06-6.el7_0.2" id="oval:com.redhat.rhsa:tst:20140861016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140861005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lzo-devel is earlier than 0:2.06-6.el7_0.2" id="oval:com.redhat.rhsa:tst:20140861017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140861007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140861005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient-devel is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-python is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-krb5-locator is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-krb5-locator is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc-libs is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-modules is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-modules is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-clients is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-clients is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-devel is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-pidl is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-pidl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-libs is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-devel is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient-devel is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-vfs-glusterfs is earlier than 0:4.1.1-35.el7_0" id="oval:com.redhat.rhsa:tst:20140867043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140867003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-vfs-glusterfs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140867044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.65-2.5.1.2.el6_5" id="oval:com.redhat.rhsa:tst:20140889005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.65-2.5.1.2.el6_5" id="oval:com.redhat.rhsa:tst:20140889007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.65-2.5.1.2.el6_5" id="oval:com.redhat.rhsa:tst:20140889009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.65-2.5.1.2.el6_5" id="oval:com.redhat.rhsa:tst:20140889011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.65-2.5.1.2.el6_5" id="oval:com.redhat.rhsa:tst:20140889013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.65-2.5.1.2.el7_0" id="oval:com.redhat.rhsa:tst:20140889027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140889005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el5_10" id="oval:com.redhat.rhsa:tst:20140907002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140907003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el5_10" id="oval:com.redhat.rhsa:tst:20140907004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140907005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el5_10" id="oval:com.redhat.rhsa:tst:20140907006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140907007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el5_10" id="oval:com.redhat.rhsa:tst:20140907008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140907009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el5_10" id="oval:com.redhat.rhsa:tst:20140907010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140907011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el6_5" id="oval:com.redhat.rhsa:tst:20140907016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el6_5" id="oval:com.redhat.rhsa:tst:20140907018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el6_5" id="oval:com.redhat.rhsa:tst:20140907020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el6_5" id="oval:com.redhat.rhsa:tst:20140907022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el6_5" id="oval:com.redhat.rhsa:tst:20140907024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el7_0" id="oval:com.redhat.rhsa:tst:20140907030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el7_0" id="oval:com.redhat.rhsa:tst:20140907031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el7_0" id="oval:com.redhat.rhsa:tst:20140907032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el7_0" id="oval:com.redhat.rhsa:tst:20140907033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el7_0" id="oval:com.redhat.rhsa:tst:20140907034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140907008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-network is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-network is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914010" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-secret is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914012" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-login-shell is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914016" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-storage is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914018" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nodedev is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914020" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-nwfilter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914022" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-devel is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914024" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-lxc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914026" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-interface is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914028" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-lxc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914030" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-docs is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914031" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-docs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914032" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-client is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914033" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914034" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-python is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914035" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914036" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914037" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nwfilter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914038" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914039" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-qemu is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914040" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914041" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-lock-sanlock is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914042" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.1" id="oval:com.redhat.rhsa:tst:20140914043" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140914003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-kvm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140914044" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.15.3-7.el5_10" id="oval:com.redhat.rhsa:tst:20140916002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140916003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.15.3-7.el5_10" id="oval:com.redhat.rhsa:tst:20140916004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140916005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.15.3-7.el5_10" id="oval:com.redhat.rhsa:tst:20140916006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140916007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.15.3-7.el5_10" id="oval:com.redhat.rhsa:tst:20140916008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140916009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr is earlier than 0:4.10.6-1.el5_10" id="oval:com.redhat.rhsa:tst:20140916010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140916011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr-devel is earlier than 0:4.10.6-1.el5_10" id="oval:com.redhat.rhsa:tst:20140916012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20140916013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.15.4-7.el7_0" id="oval:com.redhat.rhsa:tst:20140916018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.15.4-7.el7_0" id="oval:com.redhat.rhsa:tst:20140916020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.15.4-7.el7_0" id="oval:com.redhat.rhsa:tst:20140916022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.15.4-7.el7_0" id="oval:com.redhat.rhsa:tst:20140916024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.15.4-7.el7_0" id="oval:com.redhat.rhsa:tst:20140916026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr is earlier than 0:4.10.6-1.el7_0" id="oval:com.redhat.rhsa:tst:20140916028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr-devel is earlier than 0:4.10.6-1.el7_0" id="oval:com.redhat.rhsa:tst:20140916030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140916008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140916031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.7.0-1.el5_10" id="oval:com.redhat.rhsa:tst:20140919002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140919004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.7.0-1.el6_5" id="oval:com.redhat.rhsa:tst:20140919008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140919006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.7.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20140919014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140919008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:24.7.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20140919015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140919008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:24.7.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20140919017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140919008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd is earlier than 0:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_proxy_html is earlier than 1:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_proxy_html is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ldap is earlier than 0:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ldap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-tools is earlier than 0:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-devel is earlier than 0:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_session is earlier than 0:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_session is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-manual is earlier than 0:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-manual is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ssl is earlier than 1:2.4.6-18.el7_0" id="oval:com.redhat.rhsa:tst:20140921019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140921004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ssl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20140921020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.4.4.el7" id="oval:com.redhat.rhsa:tst:20140923033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140923003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.5" id="oval:com.redhat.rhsa:tst:20140927019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140927003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-libs is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-clients is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-pidl is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-devel is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-devel is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc-libs is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-modules is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-python is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008031" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008033" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008035" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-krb5-locator is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008037" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient-devel is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008039" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient-devel is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008041" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-vfs-glusterfs is earlier than 0:4.1.1-37.el7_0" id="oval:com.redhat.rhsa:tst:20141008043" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-tjws is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-tjws is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-atom-provider is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-atom-provider is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011010" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxrs-all is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxrs-all is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011012" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jettison-provider is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jettison-provider is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-providers-pom is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-providers-pom is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011016" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jackson-provider is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jackson-provider is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011018" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxrs-api is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxrs-api is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011020" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-javadoc is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011022" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxrs is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxrs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011024" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxb-provider is earlier than 0:2.3.5-3.el7_0" id="oval:com.redhat.rhsa:tst:20141011025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141011003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="resteasy-base-jaxb-provider is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141011026" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141011015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pdo is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pdo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-bcmath is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-bcmath is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-intl is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-intl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-soap is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-soap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-ldap is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-ldap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pgsql is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pgsql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xml is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xml is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-common is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-gd is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-gd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-odbc is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-odbc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysqlnd is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysqlnd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-process is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-process is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-embedded is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-embedded is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-recode is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-recode is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-snmp is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-snmp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xmlrpc is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xmlrpc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-cli is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-cli is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pspell is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pspell is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-devel is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-dba is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-dba is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mbstring is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mbstring is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysql is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-enchant is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-enchant is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-fpm is earlier than 0:5.4.16-23.el7_0" id="oval:com.redhat.rhsa:tst:20141013053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141013003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-fpm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141013054" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.6.3.el7" id="oval:com.redhat.rhsa:tst:20141023033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base is earlier than 0:1.2.11.15-34.el6_5" id="oval:com.redhat.rhsa:tst:20141031005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141031003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141031006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-libs is earlier than 0:1.2.11.15-34.el6_5" id="oval:com.redhat.rhsa:tst:20141031007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141031003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141031008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-devel is earlier than 0:1.2.11.15-34.el6_5" id="oval:com.redhat.rhsa:tst:20141031009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141031003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141031010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base is earlier than 0:1.3.1.6-26.el7_0" id="oval:com.redhat.rhsa:tst:20141031015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141031005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-devel is earlier than 0:1.3.1.6-26.el7_0" id="oval:com.redhat.rhsa:tst:20141031016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141031005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-libs is earlier than 0:1.3.1.6-26.el7_0" id="oval:com.redhat.rhsa:tst:20141031017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141031005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsvc is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-docs-webapp is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-admin-webapps is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-javadoc is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-el-2.2-api is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-lib is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-servlet-3.0-api is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsp-2.2-api is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-webapps is earlier than 0:7.0.42-8.el7_0" id="oval:com.redhat.rhsa:tst:20141034023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141034003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-16.el6_5.15" id="oval:com.redhat.rhsa:tst:20141052005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-16.el6_5.15" id="oval:com.redhat.rhsa:tst:20141052007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-16.el6_5.15" id="oval:com.redhat.rhsa:tst:20141052009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-16.el6_5.15" id="oval:com.redhat.rhsa:tst:20141052011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-34.el7_0.4" id="oval:com.redhat.rhsa:tst:20141052017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.4" id="oval:com.redhat.rhsa:tst:20141052018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.4" id="oval:com.redhat.rhsa:tst:20141052020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.4" id="oval:com.redhat.rhsa:tst:20141052021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.4" id="oval:com.redhat.rhsa:tst:20141052022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141052005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.16.2-1.el7_0" id="oval:com.redhat.rhsa:tst:20141073005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141073006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.16.2-1.el7_0" id="oval:com.redhat.rhsa:tst:20141073007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141073008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is earlier than 0:3.16.2-1.el7_0" id="oval:com.redhat.rhsa:tst:20141073009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141073010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is earlier than 0:3.16.2-1.el7_0" id="oval:com.redhat.rhsa:tst:20141073011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141073012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is earlier than 0:3.16.2-1.el7_0" id="oval:com.redhat.rhsa:tst:20141073013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141073014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is earlier than 0:3.16.2-1.el7_0" id="oval:com.redhat.rhsa:tst:20141073015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141073016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141073017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141073019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141073021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141073023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141073025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_wsgi is earlier than 0:3.4-12.el7_0" id="oval:com.redhat.rhsa:tst:20141091005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141091005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141091003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_wsgi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141091006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141091005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.5-118.el5_10.3" id="oval:com.redhat.rhsa:tst:20141110002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141110003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.5-118.el5_10.3" id="oval:com.redhat.rhsa:tst:20141110004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141110005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.5-118.el5_10.3" id="oval:com.redhat.rhsa:tst:20141110006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141110007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.5-118.el5_10.3" id="oval:com.redhat.rhsa:tst:20141110008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141110009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.5-118.el5_10.3" id="oval:com.redhat.rhsa:tst:20141110010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141110011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.5-118.el5_10.3" id="oval:com.redhat.rhsa:tst:20141110012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141110013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.12-1.132.el6_5.4" id="oval:com.redhat.rhsa:tst:20141110030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141110031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-55.el7_0.1" id="oval:com.redhat.rhsa:tst:20141110042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141110008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.8.0-2.el5_10" id="oval:com.redhat.rhsa:tst:20141144002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141144004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.8.0-1.el6_5" id="oval:com.redhat.rhsa:tst:20141144008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141144006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:24.8.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20141144014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141144008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:24.8.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20141144015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141144008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:24.8.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20141144017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141144008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpcomponents-client is earlier than 0:4.2.5-5.el7_0" id="oval:com.redhat.rhsa:tst:20141146005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141146005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141146003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpcomponents-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141146006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141146005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpcomponents-client-javadoc is earlier than 0:4.2.5-5.el7_0" id="oval:com.redhat.rhsa:tst:20141146007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141146006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141146003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpcomponents-client-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141146008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141146006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="squid is earlier than 7:3.3.8-12.el7_0" id="oval:com.redhat.rhsa:tst:20141147005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141147005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141147003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="squid is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141147006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141147005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="squid-sysvinit is earlier than 7:3.3.8-12.el7_0" id="oval:com.redhat.rhsa:tst:20141147007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141147006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141147003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="squid-sysvinit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141147008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141147006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient is earlier than 1:3.0-7jpp.4.el5_10" id="oval:com.redhat.rhsa:tst:20141166002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141166003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-javadoc is earlier than 1:3.0-7jpp.4.el5_10" id="oval:com.redhat.rhsa:tst:20141166004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141166005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-manual is earlier than 1:3.0-7jpp.4.el5_10" id="oval:com.redhat.rhsa:tst:20141166006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141166007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-demo is earlier than 1:3.0-7jpp.4.el5_10" id="oval:com.redhat.rhsa:tst:20141166008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141166009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient is earlier than 1:3.1-0.9.el6_5" id="oval:com.redhat.rhsa:tst:20141166014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141166015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-javadoc is earlier than 1:3.1-0.9.el6_5" id="oval:com.redhat.rhsa:tst:20141166016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141166017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-manual is earlier than 1:3.1-0.9.el6_5" id="oval:com.redhat.rhsa:tst:20141166018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141166019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-demo is earlier than 1:3.1-0.9.el6_5" id="oval:com.redhat.rhsa:tst:20141166020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141166021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient is earlier than 1:3.1-16.el7_0" id="oval:com.redhat.rhsa:tst:20141166026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-manual is earlier than 1:3.1-16.el7_0" id="oval:com.redhat.rhsa:tst:20141166027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-demo is earlier than 1:3.1-16.el7_0" id="oval:com.redhat.rhsa:tst:20141166028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-commons-httpclient-javadoc is earlier than 1:3.1-16.el7_0" id="oval:com.redhat.rhsa:tst:20141166029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141166003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141166008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="procmail is earlier than 0:3.22-17.1.2" id="oval:com.redhat.rhsa:tst:20141172002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141172002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141172004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="procmail is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141172003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141172002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="procmail is earlier than 0:3.22-25.1.el6_5.1" id="oval:com.redhat.rhsa:tst:20141172008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141172002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141172006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="procmail is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141172009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141172002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="procmail is earlier than 0:3.22-34.el7_0.1" id="oval:com.redhat.rhsa:tst:20141172014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141172002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141172008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.8.1.el7" id="oval:com.redhat.rhsa:tst:20141281033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141281003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="haproxy is earlier than 0:1.5.2-3.el7_0" id="oval:com.redhat.rhsa:tst:20141292005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141292005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141292003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="haproxy is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141292006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141292005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is earlier than 0:4.1.2-15.el6_5.1" id="oval:com.redhat.rhsa:tst:20141293005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141293004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141293006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash-doc is earlier than 0:4.1.2-15.el6_5.1" id="oval:com.redhat.rhsa:tst:20141293007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141293004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141293008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is earlier than 0:3.2-33.el5.1" id="oval:com.redhat.rhsa:tst:20141293010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141293006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141293011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is earlier than 0:4.2.45-5.el7_0.2" id="oval:com.redhat.rhsa:tst:20141293016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141293008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash-doc is earlier than 0:4.2.45-5.el7_0.2" id="oval:com.redhat.rhsa:tst:20141293017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141293008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is earlier than 0:4.1.2-15.el6_5.2" id="oval:com.redhat.rhsa:tst:20141306005" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141306004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash-doc is earlier than 0:4.1.2-15.el6_5.2" id="oval:com.redhat.rhsa:tst:20141306007" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141306004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is earlier than 0:3.2-33.el5_11.4" id="oval:com.redhat.rhsa:tst:20141306010" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141306006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash is earlier than 0:4.2.45-5.el7_0.4" id="oval:com.redhat.rhsa:tst:20141306016" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141306008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bash-doc is earlier than 0:4.2.45-5.el7_0.4" id="oval:com.redhat.rhsa:tst:20141306017" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141293006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141306008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.16.1-2.el6_5" id="oval:com.redhat.rhsa:tst:20141307005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.16.1-2.el6_5" id="oval:com.redhat.rhsa:tst:20141307007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.1-7.el6_5" id="oval:com.redhat.rhsa:tst:20141307009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.1-7.el6_5" id="oval:com.redhat.rhsa:tst:20141307011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.16.1-7.el6_5" id="oval:com.redhat.rhsa:tst:20141307013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.1-7.el6_5" id="oval:com.redhat.rhsa:tst:20141307015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.1-7.el6_5" id="oval:com.redhat.rhsa:tst:20141307017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is earlier than 0:3.14.3-12.el6_5" id="oval:com.redhat.rhsa:tst:20141307019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is earlier than 0:3.14.3-12.el6_5" id="oval:com.redhat.rhsa:tst:20141307021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is earlier than 0:3.14.3-12.el6_5" id="oval:com.redhat.rhsa:tst:20141307023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is earlier than 0:3.14.3-12.el6_5" id="oval:com.redhat.rhsa:tst:20141307025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.1-4.el5_11" id="oval:com.redhat.rhsa:tst:20141307028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.1-4.el5_11" id="oval:com.redhat.rhsa:tst:20141307030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.1-4.el5_11" id="oval:com.redhat.rhsa:tst:20141307032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.1-4.el5_11" id="oval:com.redhat.rhsa:tst:20141307034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141307040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141307041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141307042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141307043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141307044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.16.2-2.el7_0" id="oval:com.redhat.rhsa:tst:20141307045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141073005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.2-7.el7_0" id="oval:com.redhat.rhsa:tst:20141307046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307012"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.2-7.el7_0" id="oval:com.redhat.rhsa:tst:20141307047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307012"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.2-7.el7_0" id="oval:com.redhat.rhsa:tst:20141307048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307012"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.16.2-7.el7_0" id="oval:com.redhat.rhsa:tst:20141307049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307012"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.2-7.el7_0" id="oval:com.redhat.rhsa:tst:20141307050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141307012"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2 is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-demo is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-demo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-apis is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-apis is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-scripts is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-scripts is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-xni is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-xni is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-impl is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-impl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-other is earlier than 0:2.7.1-12.7.el6_5" id="oval:com.redhat.rhsa:tst:20141319017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc-other is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2 is earlier than 0:2.11.0-17.el7_0" id="oval:com.redhat.rhsa:tst:20141319023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-demo is earlier than 0:2.11.0-17.el7_0" id="oval:com.redhat.rhsa:tst:20141319024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc is earlier than 0:2.11.0-17.el7_0" id="oval:com.redhat.rhsa:tst:20141319025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141319005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-j2-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141319026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141319012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xmlrpc is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-ldap is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-dba is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-snmp is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-recode is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysqlnd is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-devel is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pgsql is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-fpm is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-cli is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-enchant is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pspell is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-common is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xml is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-process is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-bcmath is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-intl is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-embedded is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysql is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-gd is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mbstring is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-odbc is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pdo is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-soap is earlier than 0:5.4.16-23.el7_0.1" id="oval:com.redhat.rhsa:tst:20141327053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-python is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-client is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-devel is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-docs is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.3" id="oval:com.redhat.rhsa:tst:20141352043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141352003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-qt is earlier than 0:0.103.0-10.el7_0" id="oval:com.redhat.rhsa:tst:20141359005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141359005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141359003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-qt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141359006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141359005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-qt-devel is earlier than 0:0.103.0-10.el7_0" id="oval:com.redhat.rhsa:tst:20141359007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141359006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141359003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-qt-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141359008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141359006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-qt-doc is earlier than 0:0.103.0-10.el7_0" id="oval:com.redhat.rhsa:tst:20141359009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141359007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141359003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-qt-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141359010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141359007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmaudit is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmaudit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-crypto is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-crypto is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-relp is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-relp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mysql is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mysql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-libdbi is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-libdbi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmjsonparse is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmjsonparse is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-doc is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-elasticsearch is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-elasticsearch is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmsnmptrapd is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmsnmptrapd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-udpspoof is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-udpspoof is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-gssapi is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-gssapi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-pgsql is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-pgsql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmnormalize is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-mmnormalize is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-gnutls is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-gnutls is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-snmp is earlier than 0:7.4.7-7.el7_0" id="oval:com.redhat.rhsa:tst:20141397035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141397003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rsyslog-snmp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141397036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141397020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.71-2.5.3.1.el7_0" id="oval:com.redhat.rhsa:tst:20141620017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.71-2.5.3.1.el6" id="oval:com.redhat.rhsa:tst:20141620023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.71-2.5.3.1.el6" id="oval:com.redhat.rhsa:tst:20141620024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.71-2.5.3.1.el6" id="oval:com.redhat.rhsa:tst:20141620025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.71-2.5.3.1.el6" id="oval:com.redhat.rhsa:tst:20141620026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.71-2.5.3.1.el6" id="oval:com.redhat.rhsa:tst:20141620027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141620005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.33-1.13.5.0.el5_11" id="oval:com.redhat.rhsa:tst:20141634002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.33-1.13.5.0.el5_11" id="oval:com.redhat.rhsa:tst:20141634004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.33-1.13.5.0.el5_11" id="oval:com.redhat.rhsa:tst:20141634006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.33-1.13.5.0.el5_11" id="oval:com.redhat.rhsa:tst:20141634008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.33-1.13.5.0.el5_11" id="oval:com.redhat.rhsa:tst:20141634010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.33-1.13.5.0.el7_0" id="oval:com.redhat.rhsa:tst:20141634016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.33-1.13.5.0.el7_0" id="oval:com.redhat.rhsa:tst:20141634018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.33-1.13.5.0.el7_0" id="oval:com.redhat.rhsa:tst:20141634020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.33-1.13.5.0.el7_0" id="oval:com.redhat.rhsa:tst:20141634022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.33-1.13.5.0.el7_0" id="oval:com.redhat.rhsa:tst:20141634024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.33-1.13.5.0.el6_6" id="oval:com.redhat.rhsa:tst:20141634030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.33-1.13.5.0.el6_6" id="oval:com.redhat.rhsa:tst:20141634031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.33-1.13.5.0.el6_6" id="oval:com.redhat.rhsa:tst:20141634032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.33-1.13.5.0.el6_6" id="oval:com.redhat.rhsa:tst:20141634033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.33-1.13.5.0.el6_6" id="oval:com.redhat.rhsa:tst:20141634034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141634008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.2.0-3.el5_11" id="oval:com.redhat.rhsa:tst:20141635002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141635004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:31.2.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20141635008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141635006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:31.2.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20141635010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141635006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.2.0-3.el7_0" id="oval:com.redhat.rhsa:tst:20141635012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141635007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.2.0-3.el6_6" id="oval:com.redhat.rhsa:tst:20141635018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141635009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-34.el7_0.6" id="oval:com.redhat.rhsa:tst:20141652005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.6" id="oval:com.redhat.rhsa:tst:20141652007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.6" id="oval:com.redhat.rhsa:tst:20141652009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.6" id="oval:com.redhat.rhsa:tst:20141652011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.6" id="oval:com.redhat.rhsa:tst:20141652013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-30.el6_6.2" id="oval:com.redhat.rhsa:tst:20141652019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.2" id="oval:com.redhat.rhsa:tst:20141652020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.2" id="oval:com.redhat.rhsa:tst:20141652021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.2" id="oval:com.redhat.rhsa:tst:20141652022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141652005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2 is earlier than 0:2.9.1-5.el7_0.1" id="oval:com.redhat.rhsa:tst:20141655005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141655006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-devel is earlier than 0:2.9.1-5.el7_0.1" id="oval:com.redhat.rhsa:tst:20141655007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141655008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-static is earlier than 0:2.9.1-5.el7_0.1" id="oval:com.redhat.rhsa:tst:20141655009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-static is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141655010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-python is earlier than 0:2.9.1-5.el7_0.1" id="oval:com.redhat.rhsa:tst:20141655011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141655012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2 is earlier than 0:2.7.6-17.el6_6.1" id="oval:com.redhat.rhsa:tst:20141655017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-static is earlier than 0:2.7.6-17.el6_6.1" id="oval:com.redhat.rhsa:tst:20141655018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-devel is earlier than 0:2.7.6-17.el6_6.1" id="oval:com.redhat.rhsa:tst:20141655019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-python is earlier than 0:2.7.6-17.el6_6.1" id="oval:com.redhat.rhsa:tst:20141655020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-guest-agent is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-60.el7_0.10" id="oval:com.redhat.rhsa:tst:20141669019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141669003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark is earlier than 0:1.10.3-12.el7_0" id="oval:com.redhat.rhsa:tst:20141676005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141676003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141676006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-devel is earlier than 0:1.10.3-12.el7_0" id="oval:com.redhat.rhsa:tst:20141676007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141676003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141676008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-gnome is earlier than 0:1.10.3-12.el7_0" id="oval:com.redhat.rhsa:tst:20141676009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141676003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-gnome is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141676010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark is earlier than 0:1.8.10-8.el6_6" id="oval:com.redhat.rhsa:tst:20141676015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141676005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-gnome is earlier than 0:1.8.10-8.el6_6" id="oval:com.redhat.rhsa:tst:20141676016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141676005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-devel is earlier than 0:1.8.10-8.el6_6" id="oval:com.redhat.rhsa:tst:20141676017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141676005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.9.2.el7" id="oval:com.redhat.rhsa:tst:20141724033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141724003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wget is earlier than 0:1.14-10.el7_0.1" id="oval:com.redhat.rhsa:tst:20141764005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141764005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141764003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wget is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141764006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141764005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wget is earlier than 0:1.12-5.el6_6.1" id="oval:com.redhat.rhsa:tst:20141764011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141764005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141764005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysql is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-devel is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-intl is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-common is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pdo is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-odbc is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-ldap is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pspell is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-cli is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-embedded is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pgsql is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysqlnd is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-dba is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-fpm is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-gd is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-process is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-snmp is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xmlrpc is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xml is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mbstring is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-bcmath is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-enchant is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-recode is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-soap is earlier than 0:5.4.16-23.el7_0.3" id="oval:com.redhat.rhsa:tst:20141767053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767059" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xmlrpc is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767060" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-embedded is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767061" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xml is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767062" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-recode is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767063" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-enchant is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767064" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-soap is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767065" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pspell is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767066" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-cli is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767067" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-tidy is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767068" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141767030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-tidy is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141767069" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141767030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-dba is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767070" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-odbc is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767071" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysql is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767072" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-process is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767073" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pgsql is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767074" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-intl is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767075" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-ldap is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767076" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-common is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767077" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mbstring is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767078" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-bcmath is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767079" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-devel is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767080" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-gd is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767081" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-fpm is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767082" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-imap is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767083" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141767031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-imap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141767084" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141767031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-snmp is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767085" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-zts is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767086" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141767032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-zts is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141767087" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141767032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pdo is earlier than 0:5.3.3-40.el6_6" id="oval:com.redhat.rhsa:tst:20141767088" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters is earlier than 0:1.0.35-15.el7_0.1" id="oval:com.redhat.rhsa:tst:20141795005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141795003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141795006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters-devel is earlier than 0:1.0.35-15.el7_0.1" id="oval:com.redhat.rhsa:tst:20141795007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141795003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141795008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters-libs is earlier than 0:1.0.35-15.el7_0.1" id="oval:com.redhat.rhsa:tst:20141795009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141795003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141795010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="shim is earlier than 0:0.7-8.el7_0" id="oval:com.redhat.rhsa:tst:20141801005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141801003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="shim is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141801006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mokutil is earlier than 0:0.7-8.el7_0" id="oval:com.redhat.rhsa:tst:20141801007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141801003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mokutil is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141801008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="shim-unsigned is earlier than 0:0.7-8.el7_0" id="oval:com.redhat.rhsa:tst:20141801009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141801003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="shim-unsigned is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141801010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="shim-signed is earlier than 0:0.7-8.el7_0" id="oval:com.redhat.rhsa:tst:20141801011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141801003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="shim-signed is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141801012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141801008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvncserver is earlier than 0:0.9.9-9.el7_0.1" id="oval:com.redhat.rhsa:tst:20141826005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141826005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141826003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvncserver is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141826006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141826005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvncserver-devel is earlier than 0:0.9.9-9.el7_0.1" id="oval:com.redhat.rhsa:tst:20141826007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141826006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141826003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvncserver-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141826008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141826006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvncserver is earlier than 0:0.9.7-7.el6_6.1" id="oval:com.redhat.rhsa:tst:20141826013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141826005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141826005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvncserver-devel is earlier than 0:0.9.7-7.el6_6.1" id="oval:com.redhat.rhsa:tst:20141826014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141826006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141826005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kget-libs is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kget-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krfb-libs is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krfb-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krdc is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krdc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-common is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kdnssd is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kdnssd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kget is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kget is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-devel is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krdc-devel is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krdc-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kopete-libs is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kopete-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kopete is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kopete is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krdc-libs is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krdc-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krfb is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-krfb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-fileshare-samba is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-fileshare-samba is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kopete-devel is earlier than 7:4.10.5-8.el7_0" id="oval:com.redhat.rhsa:tst:20141827033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141827003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kdenetwork-kopete-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141827034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141827019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls is earlier than 0:3.1.18-10.el7_0" id="oval:com.redhat.rhsa:tst:20141846005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141846003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-utils is earlier than 0:3.1.18-10.el7_0" id="oval:com.redhat.rhsa:tst:20141846007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141846003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-devel is earlier than 0:3.1.18-10.el7_0" id="oval:com.redhat.rhsa:tst:20141846009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141846003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-c++ is earlier than 0:3.1.18-10.el7_0" id="oval:com.redhat.rhsa:tst:20141846011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141846003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-dane is earlier than 0:3.1.18-10.el7_0" id="oval:com.redhat.rhsa:tst:20141846013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141846003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded-devel is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-server is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-libs is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-devel is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-test is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-bench is earlier than 1:5.5.40-1.el7_0" id="oval:com.redhat.rhsa:tst:20141861019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141861003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont is earlier than 0:1.4.7-2.el7_0" id="oval:com.redhat.rhsa:tst:20141870005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141870003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141870006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont-devel is earlier than 0:1.4.7-2.el7_0" id="oval:com.redhat.rhsa:tst:20141870007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141870003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141870008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont is earlier than 0:1.4.5-4.el6_6" id="oval:com.redhat.rhsa:tst:20141870013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141870005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont-devel is earlier than 0:1.4.5-4.el6_6" id="oval:com.redhat.rhsa:tst:20141870014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141870005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby is earlier than 0:2.0.0.353-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-libs is earlier than 0:2.0.0.353-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-devel is earlier than 0:2.0.0.353-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-json is earlier than 0:1.7.7-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-json is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygems-devel is earlier than 0:2.0.14-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygems-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-irb is earlier than 0:2.0.0.353-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-irb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-minitest is earlier than 0:4.3.2-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-minitest is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-bigdecimal is earlier than 0:1.2.0-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-bigdecimal is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygems is earlier than 0:2.0.14-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygems is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-rdoc is earlier than 0:4.0.0-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-rdoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-io-console is earlier than 0:0.4.2-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-io-console is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-doc is earlier than 0:2.0.0.353-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-tcltk is earlier than 0:2.0.0.353-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-tcltk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-rake is earlier than 0:0.9.6-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-rake is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-psych is earlier than 0:2.0.0-22.el7_0" id="oval:com.redhat.rhsa:tst:20141912033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141912011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-psych is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141912034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141912019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.3.0-4.el5_11" id="oval:com.redhat.rhsa:tst:20141919002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141919004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.3.0-3.el7_0" id="oval:com.redhat.rhsa:tst:20141919008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141919006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.3.0-3.el6_6" id="oval:com.redhat.rhsa:tst:20141919014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141919008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.2.3-1.el5_11" id="oval:com.redhat.rhsa:tst:20141948002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.2.3-1.el5_11" id="oval:com.redhat.rhsa:tst:20141948004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.2.3-1.el5_11" id="oval:com.redhat.rhsa:tst:20141948006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.2.3-1.el5_11" id="oval:com.redhat.rhsa:tst:20141948008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.16.2.3-1.el7_0" id="oval:com.redhat.rhsa:tst:20141948014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.16.2.3-1.el7_0" id="oval:com.redhat.rhsa:tst:20141948016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is earlier than 0:3.16.2.3-1.el7_0" id="oval:com.redhat.rhsa:tst:20141948018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is earlier than 0:3.16.2.3-1.el7_0" id="oval:com.redhat.rhsa:tst:20141948020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is earlier than 0:3.16.2.3-1.el7_0" id="oval:com.redhat.rhsa:tst:20141948022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is earlier than 0:3.16.2.3-1.el7_0" id="oval:com.redhat.rhsa:tst:20141948024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.2.3-2.el7_0" id="oval:com.redhat.rhsa:tst:20141948026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.2.3-2.el7_0" id="oval:com.redhat.rhsa:tst:20141948028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.2.3-2.el7_0" id="oval:com.redhat.rhsa:tst:20141948030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.16.2.3-2.el7_0" id="oval:com.redhat.rhsa:tst:20141948032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.2.3-2.el7_0" id="oval:com.redhat.rhsa:tst:20141948034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.16.2.3-3.el6_6" id="oval:com.redhat.rhsa:tst:20141948040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.16.2.3-3.el6_6" id="oval:com.redhat.rhsa:tst:20141948041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.16.2.3-3.el6_6" id="oval:com.redhat.rhsa:tst:20141948042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.16.2.3-3.el6_6" id="oval:com.redhat.rhsa:tst:20141948043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.16.2.3-3.el6_6" id="oval:com.redhat.rhsa:tst:20141948044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.16.2.3-2.el6_6" id="oval:com.redhat.rhsa:tst:20141948045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.16.2.3-2.el6_6" id="oval:com.redhat.rhsa:tst:20141948046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141948011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wpa_supplicant is earlier than 1:2.0-13.el7_0" id="oval:com.redhat.rhsa:tst:20141956005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141956005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141956003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wpa_supplicant is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141956006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141956005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.13.1.el7" id="oval:com.redhat.rhsa:tst:20141971033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141971003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-python is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-cron is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-cron is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-build is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-build is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-build-libs is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-build-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-devel is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-sign is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-sign is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-libs is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-apidocs is earlier than 0:4.11.1-18.el7_0" id="oval:com.redhat.rhsa:tst:20141976021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141976003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpm-apidocs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141976022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141976013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xnest is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xdmx is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-source is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-source is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xephyr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-common is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xvfb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xorg is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-devel is earlier than 0:1.15.0-7.el7_0.3" id="oval:com.redhat.rhsa:tst:20141983021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141983022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-source is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-common is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-devel is earlier than 0:1.15.0-25.el6_6" id="oval:com.redhat.rhsa:tst:20141983035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141983005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libbind-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.2" id="oval:com.redhat.rhsa:tst:20141984016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="caching-nameserver is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20141984017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-14.el7_0.1" id="oval:com.redhat.rhsa:tst:20141984040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141984041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.8.2-0.30.rc1.el6_6.1" id="oval:com.redhat.rhsa:tst:20141984046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.8.2-0.30.rc1.el6_6.1" id="oval:com.redhat.rhsa:tst:20141984047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.8.2-0.30.rc1.el6_6.1" id="oval:com.redhat.rhsa:tst:20141984048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.8.2-0.30.rc1.el6_6.1" id="oval:com.redhat.rhsa:tst:20141984049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.8.2-0.30.rc1.el6_6.1" id="oval:com.redhat.rhsa:tst:20141984050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.8.2-0.30.rc1.el6_6.1" id="oval:com.redhat.rhsa:tst:20141984051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141984008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mailx is earlier than 0:12.5-12.el7_0" id="oval:com.redhat.rhsa:tst:20141999005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141999005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mailx is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20141999006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141999005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mailx is earlier than 0:12.4-8.el6_6" id="oval:com.redhat.rhsa:tst:20141999011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141999005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20141999005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.13.2.el7" id="oval:com.redhat.rhsa:tst:20142010033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142010003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper is earlier than 0:1.900.1-26.el7_0.2" id="oval:com.redhat.rhsa:tst:20142021005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142021006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-devel is earlier than 0:1.900.1-26.el7_0.2" id="oval:com.redhat.rhsa:tst:20142021007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142021008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-libs is earlier than 0:1.900.1-26.el7_0.2" id="oval:com.redhat.rhsa:tst:20142021009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142021010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-utils is earlier than 0:1.900.1-26.el7_0.2" id="oval:com.redhat.rhsa:tst:20142021011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142021012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper is earlier than 0:1.900.1-16.el6_6.2" id="oval:com.redhat.rhsa:tst:20142021017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-libs is earlier than 0:1.900.1-16.el6_6.2" id="oval:com.redhat.rhsa:tst:20142021018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-devel is earlier than 0:1.900.1-16.el6_6.2" id="oval:com.redhat.rhsa:tst:20142021019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-utils is earlier than 0:1.900.1-16.el6_6.2" id="oval:com.redhat.rhsa:tst:20142021020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142021005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-55.el7_0.3" id="oval:com.redhat.rhsa:tst:20142023017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142023003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-19.el7_0" id="oval:com.redhat.rhsa:tst:20142024005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142024006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sntp is earlier than 0:4.2.6p5-19.el7_0" id="oval:com.redhat.rhsa:tst:20142024007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sntp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142024008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-19.el7_0" id="oval:com.redhat.rhsa:tst:20142024009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142024010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-19.el7_0" id="oval:com.redhat.rhsa:tst:20142024011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142024012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-19.el7_0" id="oval:com.redhat.rhsa:tst:20142024013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20142024014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-2.el6_6" id="oval:com.redhat.rhsa:tst:20142024019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-2.el6_6" id="oval:com.redhat.rhsa:tst:20142024020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-2.el6_6" id="oval:com.redhat.rhsa:tst:20142024021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-2.el6_6" id="oval:com.redhat.rhsa:tst:20142024022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20142024005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-lxc is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-devel is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-network is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-nwfilter is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-login-shell is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nodedev is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-interface is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-secret is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-docs is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-python is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-network is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-storage is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-lxc is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-client is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-qemu is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-kvm is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-lock-sanlock is earlier than 0:1.1.1-29.el7_0.4" id="oval:com.redhat.rhsa:tst:20150008043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.4.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20150046002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150046004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:31.4.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20150046008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150046006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:31.4.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20150046010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150046006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.4.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20150046012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150046006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.4.0-1.el6_6" id="oval:com.redhat.rhsa:tst:20150046018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150046009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-34.el7_0.7" id="oval:com.redhat.rhsa:tst:20150066005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-34.el7_0.7" id="oval:com.redhat.rhsa:tst:20150066007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-34.el7_0.7" id="oval:com.redhat.rhsa:tst:20150066009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-34.el7_0.7" id="oval:com.redhat.rhsa:tst:20150066011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-34.el7_0.7" id="oval:com.redhat.rhsa:tst:20150066013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-30.el6_6.5" id="oval:com.redhat.rhsa:tst:20150066019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.5" id="oval:com.redhat.rhsa:tst:20150066020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.5" id="oval:com.redhat.rhsa:tst:20150066021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.5" id="oval:com.redhat.rhsa:tst:20150066022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150066005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067005" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067007" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067009" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067011" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067013" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067015" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.75-2.5.4.2.el7_0" id="oval:com.redhat.rhsa:tst:20150067017" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.75-2.5.4.0.el6_6" id="oval:com.redhat.rhsa:tst:20150067023" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.75-2.5.4.0.el6_6" id="oval:com.redhat.rhsa:tst:20150067024" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.75-2.5.4.0.el6_6" id="oval:com.redhat.rhsa:tst:20150067025" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.75-2.5.4.0.el6_6" id="oval:com.redhat.rhsa:tst:20150067026" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.75-2.5.4.0.el6_6" id="oval:com.redhat.rhsa:tst:20150067027" version="604">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150067005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper is earlier than 0:1.900.1-26.el7_0.3" id="oval:com.redhat.rhsa:tst:20150074005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-libs is earlier than 0:1.900.1-26.el7_0.3" id="oval:com.redhat.rhsa:tst:20150074007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-utils is earlier than 0:1.900.1-26.el7_0.3" id="oval:com.redhat.rhsa:tst:20150074009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-devel is earlier than 0:1.900.1-26.el7_0.3" id="oval:com.redhat.rhsa:tst:20150074011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper is earlier than 0:1.900.1-16.el6_6.3" id="oval:com.redhat.rhsa:tst:20150074017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-utils is earlier than 0:1.900.1-16.el6_6.3" id="oval:com.redhat.rhsa:tst:20150074018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-devel is earlier than 0:1.900.1-16.el6_6.3" id="oval:com.redhat.rhsa:tst:20150074019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jasper-libs is earlier than 0:1.900.1-16.el6_6.3" id="oval:com.redhat.rhsa:tst:20150074020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142021007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150074005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.34-1.13.6.1.el5_11" id="oval:com.redhat.rhsa:tst:20150085002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.34-1.13.6.1.el5_11" id="oval:com.redhat.rhsa:tst:20150085004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.34-1.13.6.1.el5_11" id="oval:com.redhat.rhsa:tst:20150085006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.34-1.13.6.1.el5_11" id="oval:com.redhat.rhsa:tst:20150085008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.34-1.13.6.1.el5_11" id="oval:com.redhat.rhsa:tst:20150085010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.34-1.13.6.1.el7_0" id="oval:com.redhat.rhsa:tst:20150085016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.34-1.13.6.1.el7_0" id="oval:com.redhat.rhsa:tst:20150085018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.34-1.13.6.1.el7_0" id="oval:com.redhat.rhsa:tst:20150085020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.34-1.13.6.1.el7_0" id="oval:com.redhat.rhsa:tst:20150085022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.34-1.13.6.1.el7_0" id="oval:com.redhat.rhsa:tst:20150085024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.34-1.13.6.1.el6_6" id="oval:com.redhat.rhsa:tst:20150085030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.34-1.13.6.1.el6_6" id="oval:com.redhat.rhsa:tst:20150085031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.34-1.13.6.1.el6_6" id="oval:com.redhat.rhsa:tst:20150085032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.34-1.13.6.1.el6_6" id="oval:com.redhat.rhsa:tst:20150085033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.34-1.13.6.1.el6_6" id="oval:com.redhat.rhsa:tst:20150085034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150085008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-55.el7_0.5" id="oval:com.redhat.rhsa:tst:20150092017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.12-1.149.el6_6.5" id="oval:com.redhat.rhsa:tst:20150092029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150092005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libyaml is earlier than 0:0.1.4-11.el7_0" id="oval:com.redhat.rhsa:tst:20150100005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150100005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150100003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libyaml is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150100006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150100005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libyaml-devel is earlier than 0:0.1.4-11.el7_0" id="oval:com.redhat.rhsa:tst:20150100007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150100006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150100003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libyaml-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150100008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150100006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libyaml is earlier than 0:0.1.3-4.el6_6" id="oval:com.redhat.rhsa:tst:20150100013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150100005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150100005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libyaml-devel is earlier than 0:0.1.3-4.el6_6" id="oval:com.redhat.rhsa:tst:20150100014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150100006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150100005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-123.20.1.el7" id="oval:com.redhat.rhsa:tst:20150102033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150102003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded-devel is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-test is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-libs is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-bench is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-server is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-devel is earlier than 1:5.5.41-2.el7_0" id="oval:com.redhat.rhsa:tst:20150118019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150118003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-kde is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-kde is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-ruby is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-ruby is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-python is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-libs is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_dav_svn is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_dav_svn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-gnome is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-gnome is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-javahl is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-javahl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-tools is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-perl is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-perl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-devel is earlier than 0:1.7.14-7.el7_0" id="oval:com.redhat.rhsa:tst:20150166025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150166003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150166026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-libs is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-python is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-devel is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc-libs is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-krb5-locator is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient-devel is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient-devel is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-pidl is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-modules is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-devel is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-clients is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-vfs-glusterfs is earlier than 0:4.1.1-38.el7_0" id="oval:com.redhat.rhsa:tst:20150252043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150252003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.5.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20150265002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150265004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.5.0-2.el7_0" id="oval:com.redhat.rhsa:tst:20150265008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150265006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:31.5.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20150265010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150265007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:31.5.0-1.el7_0" id="oval:com.redhat.rhsa:tst:20150265012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150265007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.5.0-1.el6_6" id="oval:com.redhat.rhsa:tst:20150265018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150265009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.el7" id="oval:com.redhat.rhsa:tst:20150290033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="hivex is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="hivex is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ocaml-hivex is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ocaml-hivex is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-hivex is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ruby-hivex is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="hivex-devel is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="hivex-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-hivex is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-hivex is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perl-hivex is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perl-hivex is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ocaml-hivex-devel is earlier than 0:1.3.10-5.7.el7" id="oval:com.redhat.rhsa:tst:20150301017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ocaml-hivex-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150301018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150301011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nodedev is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-lxc is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-lxc is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-client is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-network is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-config-nwfilter is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-storage is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-network is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-nwfilter is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-interface is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-secret is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-devel is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-docs is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-login-shell is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-kvm is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-lock-sanlock is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libvirt-daemon-driver-qemu is earlier than 0:1.2.8-16.el7" id="oval:com.redhat.rhsa:tst:20150323041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140914022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150323003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd is earlier than 0:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325005" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-manual is earlier than 0:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325007" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ldap is earlier than 0:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325009" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-tools is earlier than 0:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325011" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ssl is earlier than 1:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325013" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_proxy_html is earlier than 1:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325015" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_session is earlier than 0:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325017" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-devel is earlier than 0:2.4.6-31.el7" id="oval:com.redhat.rhsa:tst:20150325019" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150325003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-78.el7" id="oval:com.redhat.rhsa:tst:20150327017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150327003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre is earlier than 0:8.32-14.el7" id="oval:com.redhat.rhsa:tst:20150330005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150330003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150330006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre-devel is earlier than 0:8.32-14.el7" id="oval:com.redhat.rhsa:tst:20150330007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150330003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150330008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre-tools is earlier than 0:8.32-14.el7" id="oval:com.redhat.rhsa:tst:20150330009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150330003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150330010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre-static is earlier than 0:8.32-14.el7" id="oval:com.redhat.rhsa:tst:20150330011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150330003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcre-static is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150330012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150330008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7" id="oval:com.redhat.rhsa:tst:20150349017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150349003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mdds is earlier than 0:0.10.3-1.el7" id="oval:com.redhat.rhsa:tst:20150377005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mdds is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mdds-devel is earlier than 0:0.10.3-1.el7" id="oval:com.redhat.rhsa:tst:20150377007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mdds-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw is earlier than 0:0.2.0-4.el7" id="oval:com.redhat.rhsa:tst:20150377009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw-doc is earlier than 0:0.2.0-4.el7" id="oval:com.redhat.rhsa:tst:20150377011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw-tools is earlier than 0:0.2.0-4.el7" id="oval:com.redhat.rhsa:tst:20150377013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw-devel is earlier than 0:0.2.0-4.el7" id="oval:com.redhat.rhsa:tst:20150377015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libmwaw-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libodfgen is earlier than 0:0.0.4-1.el7" id="oval:com.redhat.rhsa:tst:20150377017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libodfgen is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libodfgen-doc is earlier than 0:0.0.4-1.el7" id="oval:com.redhat.rhsa:tst:20150377019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libodfgen-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libodfgen-devel is earlier than 0:0.0.4-1.el7" id="oval:com.redhat.rhsa:tst:20150377021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libodfgen-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcmis is earlier than 0:0.4.1-5.el7" id="oval:com.redhat.rhsa:tst:20150377023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcmis is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcmis-devel is earlier than 0:0.4.1-5.el7" id="oval:com.redhat.rhsa:tst:20150377025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcmis-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcmis-tools is earlier than 0:0.4.1-5.el7" id="oval:com.redhat.rhsa:tst:20150377027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcmis-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw is earlier than 0:0.0.2-1.el7" id="oval:com.redhat.rhsa:tst:20150377029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw-tools is earlier than 0:0.0.2-1.el7" id="oval:com.redhat.rhsa:tst:20150377031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw-doc is earlier than 0:0.0.2-1.el7" id="oval:com.redhat.rhsa:tst:20150377033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw-devel is earlier than 0:0.0.2-1.el7" id="oval:com.redhat.rhsa:tst:20150377035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libabw-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand is earlier than 0:0.0.0-3.el7" id="oval:com.redhat.rhsa:tst:20150377037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand-doc is earlier than 0:0.0.0-3.el7" id="oval:com.redhat.rhsa:tst:20150377039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand-devel is earlier than 0:0.0.0-3.el7" id="oval:com.redhat.rhsa:tst:20150377041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand-tools is earlier than 0:0.0.0-3.el7" id="oval:com.redhat.rhsa:tst:20150377043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libfreehand-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek is earlier than 0:0.0.4-2.el7" id="oval:com.redhat.rhsa:tst:20150377045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek-tools is earlier than 0:0.0.4-2.el7" id="oval:com.redhat.rhsa:tst:20150377047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek-devel is earlier than 0:0.0.4-2.el7" id="oval:com.redhat.rhsa:tst:20150377049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek-doc is earlier than 0:0.0.4-2.el7" id="oval:com.redhat.rhsa:tst:20150377051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libetonyek-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag is earlier than 0:0.5.4-8.el7" id="oval:com.redhat.rhsa:tst:20150377053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377054" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag-doc is earlier than 0:0.5.4-8.el7" id="oval:com.redhat.rhsa:tst:20150377055" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377056" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag-gobject is earlier than 0:0.5.4-8.el7" id="oval:com.redhat.rhsa:tst:20150377057" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag-gobject is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377058" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag-devel is earlier than 0:0.5.4-8.el7" id="oval:com.redhat.rhsa:tst:20150377059" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377010"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="liblangtag-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377060" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377061" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377062" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lt is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377063" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377064" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-opensymbol-fonts is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377065" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-opensymbol-fonts is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377066" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nn is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377067" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377068" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-da is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377069" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-da is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377070" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-is is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377071" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-is is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377072" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377073" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377074" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hant is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377075" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hant is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377076" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-graphicfilter is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377077" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-graphicfilter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377078" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377079" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377080" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-librelogo is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377081" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-librelogo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377082" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-headless is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377083" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-headless is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377084" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-de is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377085" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-de is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377086" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-gdb-debug-support is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377087" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-gdb-debug-support is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377088" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-uk is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377089" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-uk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377090" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377091" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377048"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377092" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377048"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-core is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377093" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377049"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-core is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377094" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377049"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-es is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377095" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377050"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-es is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377096" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377050"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ro is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377097" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377051"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ro is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377098" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377051"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ar is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377099" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377052"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ar is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377100" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377052"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-eu is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377101" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377053"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-eu is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377102" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377053"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-BR is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377103" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377054"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-BR is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377104" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377054"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377105" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377055"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377106" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377055"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-postgresql is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377107" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377056"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-postgresql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377108" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377056"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ts is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377109" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377057"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ts is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377110" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377057"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ta is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377111" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377058"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ta is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377112" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377058"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk-doc is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377113" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377059"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377114" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377059"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-he is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377115" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377060"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-he is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377116" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377060"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nso is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377117" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377061"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nso is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377118" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377061"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-af is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377119" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377062"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-af is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377120" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377062"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ga is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377121" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377063"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ga is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377122" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377063"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377123" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377064"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377124" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377064"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fi is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377125" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377065"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377126" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377065"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mai is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377127" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377066"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mai is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377128" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377066"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ca is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377129" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377067"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ca is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377130" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377067"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-vi is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377131" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377068"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-vi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377132" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377068"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-da is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377133" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377069"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-da is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377134" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377069"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377135" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377070"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377136" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377070"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-impress is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377137" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377071"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-impress is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377138" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377071"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377139" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377072"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377140" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377072"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ga is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377141" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377073"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ga is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377142" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377073"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-es is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377143" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377074"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-es is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377144" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377074"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pt is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377145" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377075"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377146" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377075"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-te is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377147" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377076"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-te is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377148" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377076"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lv is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377149" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377077"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lv is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377150" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377077"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-base is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377151" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377078"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-base is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377152" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377078"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-de is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377153" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377079"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-de is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377154" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377079"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fa is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377155" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377080"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fa is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377156" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377080"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-th is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377157" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377081"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-th is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377158" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377081"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-mn is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377159" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377082"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-mn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377160" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377082"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-nlpsolver is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377161" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377083"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-nlpsolver is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377162" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377083"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ure is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377163" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377084"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ure is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377164" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377084"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377165" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377085"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377166" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377085"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ru is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377167" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377086"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ru is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377168" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377086"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ss is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377169" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377087"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ss is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377170" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377087"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sv is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377171" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377088"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sv is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377172" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377088"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hans is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377173" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377089"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hans is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377174" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377089"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ve is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377175" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377090"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ve is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377176" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377090"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-writer is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377177" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377091"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-writer is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377178" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377091"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-it is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377179" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377092"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-it is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377180" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377092"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377181" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377093"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377182" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377093"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ja is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377183" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377094"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ja is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377184" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377094"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-PT is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377185" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377095"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-PT is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377186" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377095"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sk is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377187" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377096"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377188" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377096"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cy is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377189" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377097"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cy is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377190" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377097"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-tr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377191" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377098"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-tr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377192" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377098"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-cs is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377193" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377099"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-cs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377194" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377099"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-emailmerge is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377195" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377100"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-emailmerge is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377196" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377100"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377197" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377101"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377198" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377101"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kk is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377199" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377102"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377200" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377102"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-af is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377201" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377103"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-af is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377202" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377103"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fa is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377203" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377104"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fa is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377204" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377104"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pa is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377205" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377105"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pa is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377206" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377105"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gu is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377207" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377106"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gu is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377208" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377106"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377209" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377107"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377210" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377107"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-or is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377211" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377108"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-or is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377212" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377108"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ru is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377213" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377109"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ru is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377214" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377109"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377215" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377110"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377216" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377110"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-si is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377217" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377111"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-si is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377218" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377111"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fi is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377219" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377112"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377220" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377112"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ca is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377221" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377113"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ca is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377222" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377113"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cs is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377223" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377114"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377224" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377114"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sk is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377225" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377115"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377226" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377115"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-it is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377227" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377116"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-it is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377228" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377116"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-rhino is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377229" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377117"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-rhino is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377230" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377117"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hu is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377231" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377118"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hu is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377232" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377118"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tn is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377233" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377119"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377234" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377119"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-br is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377235" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377120"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-br is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377236" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377120"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-zh is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377237" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377121"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-zh is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377238" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377121"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-nl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377239" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377122"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-nl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377240" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377122"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-st is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377241" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377123"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-st is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377242" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377123"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377243" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377124"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377244" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377124"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pyuno is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377245" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377125"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pyuno is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377246" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377125"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ko is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377247" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377126"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ko is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377248" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377126"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hu is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377249" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377127"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hu is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377250" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377127"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-en is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377251" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377128"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-en is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377252" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377128"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-math is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377253" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377129"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-math is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377254" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377129"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-en is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377255" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377130"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-en is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377256" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377130"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ja is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377257" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377131"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ja is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377258" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377131"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gl is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377259" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377132"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377260" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377132"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-glade is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377261" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377133"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-glade is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377262" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377133"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kn is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377263" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377134"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377264" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377134"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-filters is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377265" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377135"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-filters is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377266" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377135"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-as is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377267" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377136"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-as is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377268" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377136"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bn is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377269" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377137"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377270" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377137"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lb is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377271" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377138"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377272" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377138"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377273" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377139"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377274" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377139"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-draw is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377275" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377140"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-draw is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377276" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377140"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pdfimport is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377277" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377141"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pdfimport is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377278" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377141"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-dz is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377279" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377142"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-dz is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377280" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377142"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sv is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377281" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377143"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sv is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377282" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377143"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-wiki-publisher is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377283" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377144"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-wiki-publisher is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377284" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377144"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lt is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377285" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377145"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377286" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377145"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hi is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377287" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377146"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377288" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377146"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ogltrans is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377289" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377147"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ogltrans is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377290" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377147"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bg is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377291" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377148"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bg is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377292" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377148"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zu is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377293" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377149"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zu is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377294" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377149"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-et is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377295" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377150"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-et is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377296" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377150"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-calc is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377297" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377151"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-calc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377298" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377151"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-xh is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377299" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377152"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-xh is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377300" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377152"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sr is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377301" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377153"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377302" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377153"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ml is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377303" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377154"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ml is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377304" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377154"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-xsltfilter is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377305" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377155"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-xsltfilter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377306" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377155"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nb is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377307" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377156"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377308" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377156"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ko is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377309" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377157"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ko is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377310" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377157"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-el is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377311" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377158"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-el is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377312" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377158"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-bg is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377313" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377159"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-bg is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377314" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377159"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-bsh is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377315" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377160"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-bsh is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377316" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377160"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ro is earlier than 1:4.2.6.3-5.el7" id="oval:com.redhat.rhsa:tst:20150377317" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377161"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150377011"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ro is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150377318" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377161"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ppc64-diag is earlier than 0:2.6.7-6.el7" id="oval:com.redhat.rhsa:tst:20150383005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150383005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ppc64-diag is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150383006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150383005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="powerpc-utils is earlier than 0:1.2.24-7.el7" id="oval:com.redhat.rhsa:tst:20150384005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150384005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150384003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="powerpc-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150384006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150384005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base is earlier than 0:1.3.3.1-13.el7" id="oval:com.redhat.rhsa:tst:20150416005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150416003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-libs is earlier than 0:1.3.3.1-13.el7" id="oval:com.redhat.rhsa:tst:20150416007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150416003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-devel is earlier than 0:1.3.3.1-13.el7" id="oval:com.redhat.rhsa:tst:20150416009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150416003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425005" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425006" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-ldap is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425007" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-ldap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425008" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425009" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425010" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-keycat is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425011" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-keycat is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425012" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-askpass is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425013" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-askpass is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425014" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server-sysvinit is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425015" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server-sysvinit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425016" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-clients is earlier than 0:6.6.1p1-11.el7" id="oval:com.redhat.rhsa:tst:20150425017" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-clients is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425018" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam_ssh_agent_auth is earlier than 0:0.9.3-9.11.el7" id="oval:com.redhat.rhsa:tst:20150425019" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150425004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam_ssh_agent_auth is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150425020" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="virt-who is earlier than 0:0.11-5.el7" id="oval:com.redhat.rhsa:tst:20150430005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150430005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150430003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="virt-who is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150430006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150430005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5 is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-pkinit is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-pkinit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-devel is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-server is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-workstation is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-workstation is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-server-ldap is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-server-ldap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-libs is earlier than 0:1.12.2-14.el7" id="oval:com.redhat.rhsa:tst:20150439017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150439003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150439018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa is earlier than 0:4.1.0-18.el7" id="oval:com.redhat.rhsa:tst:20150442005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150442003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150442006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-python is earlier than 0:4.1.0-18.el7" id="oval:com.redhat.rhsa:tst:20150442007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150442003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150442008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-client is earlier than 0:4.1.0-18.el7" id="oval:com.redhat.rhsa:tst:20150442009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150442003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150442010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-admintools is earlier than 0:4.1.0-18.el7" id="oval:com.redhat.rhsa:tst:20150442011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150442003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-admintools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150442012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-server is earlier than 0:4.1.0-18.el7" id="oval:com.redhat.rhsa:tst:20150442013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150442003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150442014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-server-trust-ad is earlier than 0:4.1.0-18.el7" id="oval:com.redhat.rhsa:tst:20150442015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150442003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-server-trust-ad is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150442016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cogl is earlier than 0:1.14.0-6.el7" id="oval:com.redhat.rhsa:tst:20150535005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cogl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cogl-doc is earlier than 0:1.14.0-6.el7" id="oval:com.redhat.rhsa:tst:20150535007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cogl-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cogl-devel is earlier than 0:1.14.0-6.el7" id="oval:com.redhat.rhsa:tst:20150535009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cogl-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter is earlier than 0:1.14.4-12.el7" id="oval:com.redhat.rhsa:tst:20150535011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter-devel is earlier than 0:1.14.4-12.el7" id="oval:com.redhat.rhsa:tst:20150535013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter-doc is earlier than 0:1.14.4-12.el7" id="oval:com.redhat.rhsa:tst:20150535015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnome-shell is earlier than 0:3.8.4-45.el7" id="oval:com.redhat.rhsa:tst:20150535017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnome-shell is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnome-shell-browser-plugin is earlier than 0:3.8.4-45.el7" id="oval:com.redhat.rhsa:tst:20150535019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnome-shell-browser-plugin is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mutter is earlier than 0:3.8.4-16.el7" id="oval:com.redhat.rhsa:tst:20150535021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mutter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mutter-devel is earlier than 0:3.8.4-16.el7" id="oval:com.redhat.rhsa:tst:20150535023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150535006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mutter-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150535024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.5.0-2.el7_1" id="oval:com.redhat.rhsa:tst:20150642005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150642003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150642006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.8.2-0.30.rc1.el6_6.2" id="oval:com.redhat.rhsa:tst:20150672005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.8.2-0.30.rc1.el6_6.2" id="oval:com.redhat.rhsa:tst:20150672007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.8.2-0.30.rc1.el6_6.2" id="oval:com.redhat.rhsa:tst:20150672009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.8.2-0.30.rc1.el6_6.2" id="oval:com.redhat.rhsa:tst:20150672011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.8.2-0.30.rc1.el6_6.2" id="oval:com.redhat.rhsa:tst:20150672013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.8.2-0.30.rc1.el6_6.2" id="oval:com.redhat.rhsa:tst:20150672015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.1" id="oval:com.redhat.rhsa:tst:20150672034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150672005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype is earlier than 0:2.3.11-15.el6_6.1" id="oval:com.redhat.rhsa:tst:20150696005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150696003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150696006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype-devel is earlier than 0:2.3.11-15.el6_6.1" id="oval:com.redhat.rhsa:tst:20150696007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150696003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150696008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype-demos is earlier than 0:2.3.11-15.el6_6.1" id="oval:com.redhat.rhsa:tst:20150696009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150696003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype-demos is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150696010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype is earlier than 0:2.4.11-10.el7_1.1" id="oval:com.redhat.rhsa:tst:20150696015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150696005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype-devel is earlier than 0:2.4.11-10.el7_1.1" id="oval:com.redhat.rhsa:tst:20150696016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150696005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="freetype-demos is earlier than 0:2.4.11-10.el7_1.1" id="oval:com.redhat.rhsa:tst:20150696017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150696007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150696005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unzip is earlier than 0:6.0-2.el6_6" id="oval:com.redhat.rhsa:tst:20150700005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150700005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150700003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unzip is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150700006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150700005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unzip is earlier than 0:6.0-15.el7" id="oval:com.redhat.rhsa:tst:20150700011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150700005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150700005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-42.el7_1.4" id="oval:com.redhat.rhsa:tst:20150716005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150716003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-42.el7_1.4" id="oval:com.redhat.rhsa:tst:20150716007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150716003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-42.el7_1.4" id="oval:com.redhat.rhsa:tst:20150716009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150716003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-42.el7_1.4" id="oval:com.redhat.rhsa:tst:20150716011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150716003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-42.el7_1.4" id="oval:com.redhat.rhsa:tst:20150716013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150716003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.5.3-1.el5_11" id="oval:com.redhat.rhsa:tst:20150718002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150718004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.5.3-1.el6_6" id="oval:com.redhat.rhsa:tst:20150718008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150718006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.5.3-3.el7_1" id="oval:com.redhat.rhsa:tst:20150718014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150718008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.1.2.el7" id="oval:com.redhat.rhsa:tst:20150726033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150726003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-229.1.2.rt56.141.2.el7_1" id="oval:com.redhat.rhsa:tst:20150727021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150727003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150727022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="slapi-nis is earlier than 0:0.54-3.el7_1" id="oval:com.redhat.rhsa:tst:20150728005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150728005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="slapi-nis is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150728006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150728005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa is earlier than 0:4.1.0-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20150728007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-python is earlier than 0:4.1.0-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20150728009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-admintools is earlier than 0:4.1.0-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20150728011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-client is earlier than 0:4.1.0-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20150728013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-server is earlier than 0:4.1.0-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20150728015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ipa-server-trust-ad is earlier than 0:4.1.0-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20150728017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150442010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150728004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot is earlier than 0:2.0.5-7.el5_11" id="oval:com.redhat.rhsa:tst:20150729002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20150729003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-server is earlier than 0:2.0.5-7.el5_11" id="oval:com.redhat.rhsa:tst:20150729004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-server is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20150729005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot is earlier than 0:3.0.47-6.el6_6.1" id="oval:com.redhat.rhsa:tst:20150729010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150729011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-doc is earlier than 0:3.0.47-6.el6_6.1" id="oval:com.redhat.rhsa:tst:20150729012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150729013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-server is earlier than 0:3.0.47-6.el6_6.1" id="oval:com.redhat.rhsa:tst:20150729014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150729015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot is earlier than 0:3.2.17-4.1.el7_1" id="oval:com.redhat.rhsa:tst:20150729020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="setroubleshoot-server is earlier than 0:3.2.17-4.1.el7_1" id="oval:com.redhat.rhsa:tst:20150729021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150729003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150729008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2 is earlier than 0:2.9.1-5.el7_1.2" id="oval:com.redhat.rhsa:tst:20150749005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150749003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-devel is earlier than 0:2.9.1-5.el7_1.2" id="oval:com.redhat.rhsa:tst:20150749007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150749003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-python is earlier than 0:2.9.1-5.el7_1.2" id="oval:com.redhat.rhsa:tst:20150749009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150749003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-static is earlier than 0:2.9.1-5.el7_1.2" id="oval:com.redhat.rhsa:tst:20150749011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150749003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is earlier than 0:8.4.20-2.el6_6" id="oval:com.redhat.rhsa:tst:20150750023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-upgrade is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-upgrade is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150750037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is earlier than 0:9.2.10-2.el7_1" id="oval:com.redhat.rhsa:tst:20150750040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150750005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.6.0-2.el5_11" id="oval:com.redhat.rhsa:tst:20150766002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150766004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.6.0-2.el6_6" id="oval:com.redhat.rhsa:tst:20150766008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150766006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner is earlier than 0:31.6.0-2.el7_1" id="oval:com.redhat.rhsa:tst:20150766014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150766008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xulrunner-devel is earlier than 0:31.6.0-2.el7_1" id="oval:com.redhat.rhsa:tst:20150766016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150766008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:31.6.0-2.el7_1" id="oval:com.redhat.rhsa:tst:20150766018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150766008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac is earlier than 0:1.2.1-7.el6_6" id="oval:com.redhat.rhsa:tst:20150767005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150767006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac-devel is earlier than 0:1.2.1-7.el6_6" id="oval:com.redhat.rhsa:tst:20150767007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150767003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150767008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac is earlier than 0:1.3.0-5.el7_1" id="oval:com.redhat.rhsa:tst:20150767013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac-devel is earlier than 0:1.3.0-5.el7_1" id="oval:com.redhat.rhsa:tst:20150767014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac-libs is earlier than 0:1.3.0-5.el7_1" id="oval:com.redhat.rhsa:tst:20150767015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150767005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="flac-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150767016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150767007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.6.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20150771002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150771004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20150771003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.6.0-1.el6_6" id="oval:com.redhat.rhsa:tst:20150771008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150771006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.6.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20150771014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150771008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-source is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-common is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-devel is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-26.el6_6" id="oval:com.redhat.rhsa:tst:20150797021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xnest is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-devel is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-source is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xdmx is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-common is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xvfb is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xorg is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xorg-x11-server-Xephyr is earlier than 0:1.15.0-33.el7_1" id="oval:com.redhat.rhsa:tst:20150797035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141983009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150797005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.79-2.5.5.1.el6_6" id="oval:com.redhat.rhsa:tst:20150806005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.79-2.5.5.1.el6_6" id="oval:com.redhat.rhsa:tst:20150806007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.79-2.5.5.1.el6_6" id="oval:com.redhat.rhsa:tst:20150806009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.79-2.5.5.1.el6_6" id="oval:com.redhat.rhsa:tst:20150806011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.79-2.5.5.1.el6_6" id="oval:com.redhat.rhsa:tst:20150806013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.79-2.5.5.1.el7_1" id="oval:com.redhat.rhsa:tst:20150806027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150806005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.35-1.13.7.1.el5_11" id="oval:com.redhat.rhsa:tst:20150808002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.35-1.13.7.1.el5_11" id="oval:com.redhat.rhsa:tst:20150808004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.35-1.13.7.1.el5_11" id="oval:com.redhat.rhsa:tst:20150808006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.35-1.13.7.1.el5_11" id="oval:com.redhat.rhsa:tst:20150808008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.35-1.13.7.1.el5_11" id="oval:com.redhat.rhsa:tst:20150808010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.35-1.13.7.1.el6_6" id="oval:com.redhat.rhsa:tst:20150808016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.35-1.13.7.1.el6_6" id="oval:com.redhat.rhsa:tst:20150808018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.35-1.13.7.1.el6_6" id="oval:com.redhat.rhsa:tst:20150808020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.35-1.13.7.1.el6_6" id="oval:com.redhat.rhsa:tst:20150808022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.35-1.13.7.1.el6_6" id="oval:com.redhat.rhsa:tst:20150808024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.35-1.13.7.1.el7_1" id="oval:com.redhat.rhsa:tst:20150808030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.35-1.13.7.1.el7_1" id="oval:com.redhat.rhsa:tst:20150808031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.35-1.13.7.1.el7_1" id="oval:com.redhat.rhsa:tst:20150808032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.35-1.13.7.1.el7_1" id="oval:com.redhat.rhsa:tst:20150808033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.35-1.13.7.1.el7_1" id="oval:com.redhat.rhsa:tst:20150808034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150808008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.45-28.b13.el6_6" id="oval:com.redhat.rhsa:tst:20150809005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.45-28.b13.el6_6" id="oval:com.redhat.rhsa:tst:20150809007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.45-28.b13.el6_6" id="oval:com.redhat.rhsa:tst:20150809009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.45-28.b13.el6_6" id="oval:com.redhat.rhsa:tst:20150809011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.45-28.b13.el6_6" id="oval:com.redhat.rhsa:tst:20150809013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.45-28.b13.el6_6" id="oval:com.redhat.rhsa:tst:20150809015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150809023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.45-30.b13.el7_1" id="oval:com.redhat.rhsa:tst:20150809028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150809005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-libs is earlier than 0:1.3.3.1-16.el7_1" id="oval:com.redhat.rhsa:tst:20150895005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150895003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base is earlier than 0:1.3.3.1-16.el7_1" id="oval:com.redhat.rhsa:tst:20150895007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150895003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-devel is earlier than 0:1.3.3.1-16.el7_1" id="oval:com.redhat.rhsa:tst:20150895009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150895003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcs is earlier than 0:0.9.137-13.el7_1.2" id="oval:com.redhat.rhsa:tst:20150980005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150980003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150980006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-clufter is earlier than 0:0.9.137-13.el7_1.2" id="oval:com.redhat.rhsa:tst:20150980007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150980003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-clufter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150980008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.4.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20150981021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-docs-webapp is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-el-2.2-api is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-admin-webapps is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-webapps is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-javadoc is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsp-2.2-api is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-servlet-3.0-api is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-lib is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tomcat-jsvc is earlier than 0:7.0.54-2.el7_1" id="oval:com.redhat.rhsa:tst:20150983023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140686013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150983003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kexec-tools-anaconda-addon is earlier than 0:2.0.7-19.el7_1.2" id="oval:com.redhat.rhsa:tst:20150986005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150986005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150986003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kexec-tools-anaconda-addon is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150986006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150986005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kexec-tools-eppic is earlier than 0:2.0.7-19.el7_1.2" id="oval:com.redhat.rhsa:tst:20150986007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150986006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150986003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kexec-tools-eppic is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150986008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150986006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kexec-tools is earlier than 0:2.0.7-19.el7_1.2" id="oval:com.redhat.rhsa:tst:20150986009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150986007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150986003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kexec-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20150986010" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150986007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.4.2.el7" id="oval:com.redhat.rhsa:tst:20150987033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150987003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.0-4.el5_11" id="oval:com.redhat.rhsa:tst:20150988002" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150988004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.0-4.el6_6" id="oval:com.redhat.rhsa:tst:20150988008" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150988006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.0-3.el7_1" id="oval:com.redhat.rhsa:tst:20150988014" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150988008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.2" id="oval:com.redhat.rhsa:tst:20150999017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20150999003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.7.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20151012002" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151012004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.7.0-1.el6_6" id="oval:com.redhat.rhsa:tst:20151012008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151012006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.7.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20151012014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151012008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.9" id="oval:com.redhat.rhsa:tst:20151072005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.9" id="oval:com.redhat.rhsa:tst:20151072007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-30.el6_6.9" id="oval:com.redhat.rhsa:tst:20151072009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.9" id="oval:com.redhat.rhsa:tst:20151072011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-42.el7_1.6" id="oval:com.redhat.rhsa:tst:20151072017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-42.el7_1.6" id="oval:com.redhat.rhsa:tst:20151072018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-42.el7_1.6" id="oval:com.redhat.rhsa:tst:20151072019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-42.el7_1.6" id="oval:com.redhat.rhsa:tst:20151072021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-42.el7_1.6" id="oval:com.redhat.rhsa:tst:20151072022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151072005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-kerneloops is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-kerneloops is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-libs is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-devel is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-console-notification is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-console-notification is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui-devel is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-xorg is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-xorg is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-vmcore is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-vmcore is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-pstoreoops is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-pstoreoops is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-desktop is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-desktop is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui-libs is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-python is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-cli is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-cli is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-python is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-retrace-client is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-retrace-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-dbus is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-dbus is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-tui is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-tui is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-ccpp is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-ccpp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-upload-watch is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-upload-watch is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-python-doc is earlier than 0:2.1.11-22.el7_1" id="oval:com.redhat.rhsa:tst:20151083045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-python-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-ureport is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-ureport is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel-anaconda-bugzilla is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel-anaconda-bugzilla is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel-bugzilla is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel-bugzilla is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-gtk is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-gtk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083054" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-logger is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083055" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-logger is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083056" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-devel is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083057" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083058" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-mailx is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083059" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-mailx is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083060" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-reportuploader is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083061" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-reportuploader is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083062" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-python is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083063" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083064" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-newt is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083065" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-newt is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083066" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083067" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083068" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-bugzilla is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083069" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-bugzilla is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083070" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-filesystem is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083071" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-filesystem is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083072" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-cli is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083073" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-cli is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083074" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-gtk-devel is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083075" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-gtk-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083076" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-kerneloops is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083077" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-kerneloops is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083078" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-rhtsupport is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083079" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-rhtsupport is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083080" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-web is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083081" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-web is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083082" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-web-devel is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083083" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-web-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083084" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-compat is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083085" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-compat is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083086" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-anaconda is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083087" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-anaconda is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083088" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel is earlier than 0:2.1.11-23.el7_1" id="oval:com.redhat.rhsa:tst:20151083089" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151083004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151083090" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wpa_supplicant is earlier than 1:2.0-17.el7_1" id="oval:com.redhat.rhsa:tst:20151090005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141956005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151090003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-30.el6_6.11" id="oval:com.redhat.rhsa:tst:20151115005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-30.el6_6.11" id="oval:com.redhat.rhsa:tst:20151115007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-30.el6_6.11" id="oval:com.redhat.rhsa:tst:20151115009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-30.el6_6.11" id="oval:com.redhat.rhsa:tst:20151115011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-42.el7_1.8" id="oval:com.redhat.rhsa:tst:20151115017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-42.el7_1.8" id="oval:com.redhat.rhsa:tst:20151115018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-42.el7_1.8" id="oval:com.redhat.rhsa:tst:20151115019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-42.el7_1.8" id="oval:com.redhat.rhsa:tst:20151115021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-42.el7_1.8" id="oval:com.redhat.rhsa:tst:20151115022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151115005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-libs is earlier than 1:1.4.2-67.el6_6.1" id="oval:com.redhat.rhsa:tst:20151123005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-devel is earlier than 1:1.4.2-67.el6_6.1" id="oval:com.redhat.rhsa:tst:20151123007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups is earlier than 1:1.4.2-67.el6_6.1" id="oval:com.redhat.rhsa:tst:20151123009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-php is earlier than 1:1.4.2-67.el6_6.1" id="oval:com.redhat.rhsa:tst:20151123011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-php is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-lpd is earlier than 1:1.4.2-67.el6_6.1" id="oval:com.redhat.rhsa:tst:20151123013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-lpd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-devel is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-ipptool is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-ipptool is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-libs is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-client is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-lpd is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filesystem is earlier than 1:1.6.3-17.el7_1.1" id="oval:com.redhat.rhsa:tst:20151123027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151123005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filesystem is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151123028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151123012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pgsql is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-enchant is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pdo is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mbstring is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-odbc is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-devel is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-process is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-common is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xml is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-recode is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-intl is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-ldap is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-embedded is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135031" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-gd is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135033" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-fpm is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135035" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-pspell is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135037" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-cli is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135039" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-dba is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135041" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-bcmath is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135043" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-snmp is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135045" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysql is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135047" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-mysqlnd is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135049" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-xmlrpc is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135051" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="php-soap is earlier than 0:5.4.16-36.el7_1" id="oval:com.redhat.rhsa:tst:20151135053" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141013009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151135003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137031" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.7.2.el7" id="oval:com.redhat.rhsa:tst:20151137033" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151137003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-229.7.2.rt56.141.6.el7_1" id="oval:com.redhat.rhsa:tst:20151139021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151139003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mailman is earlier than 3:2.1.15-21.el7_1" id="oval:com.redhat.rhsa:tst:20151153005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151153005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151153003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mailman is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151153006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151153005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreswan is earlier than 0:3.12-10.1.el7_1" id="oval:com.redhat.rhsa:tst:20151154005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151154005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreswan is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151154006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151154005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.19.1-1.el6_6" id="oval:com.redhat.rhsa:tst:20151185005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.19.1-1.el6_6" id="oval:com.redhat.rhsa:tst:20151185007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.19.1-3.el6_6" id="oval:com.redhat.rhsa:tst:20151185009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.19.1-3.el6_6" id="oval:com.redhat.rhsa:tst:20151185011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.19.1-3.el6_6" id="oval:com.redhat.rhsa:tst:20151185013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.19.1-3.el6_6" id="oval:com.redhat.rhsa:tst:20151185015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.19.1-3.el6_6" id="oval:com.redhat.rhsa:tst:20151185017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.19.1-1.el7_1" id="oval:com.redhat.rhsa:tst:20151185023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.19.1-1.el7_1" id="oval:com.redhat.rhsa:tst:20151185024" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.19.1-3.el7_1" id="oval:com.redhat.rhsa:tst:20151185025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.19.1-3.el7_1" id="oval:com.redhat.rhsa:tst:20151185026" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.19.1-3.el7_1" id="oval:com.redhat.rhsa:tst:20151185027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.19.1-3.el7_1" id="oval:com.redhat.rhsa:tst:20151185028" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.19.1-3.el7_1" id="oval:com.redhat.rhsa:tst:20151185029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151185007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-c is earlier than 0:3.1.1-7.el7_1" id="oval:com.redhat.rhsa:tst:20151193005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151193005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151193003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-c is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151193006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151193005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-c-devel is earlier than 0:3.1.1-7.el7_1" id="oval:com.redhat.rhsa:tst:20151193007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151193006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151193003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-c-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151193008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151193006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-c-doc is earlier than 0:3.1.1-7.el7_1" id="oval:com.redhat.rhsa:tst:20151193009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151193007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151193003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xerces-c-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151193010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151193007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is earlier than 0:8.4.20-3.el6_6" id="oval:com.redhat.rhsa:tst:20151194023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-upgrade is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is earlier than 0:9.2.13-1.el7_1" id="oval:com.redhat.rhsa:tst:20151194040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151194005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.1.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20151207002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151207004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.1.0-1.el6_6" id="oval:com.redhat.rhsa:tst:20151207008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151207006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.1.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20151207014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151207008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.51-0.b16.el6_6" id="oval:com.redhat.rhsa:tst:20151228005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.51-0.b16.el6_6" id="oval:com.redhat.rhsa:tst:20151228007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.51-0.b16.el6_6" id="oval:com.redhat.rhsa:tst:20151228009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.51-0.b16.el6_6" id="oval:com.redhat.rhsa:tst:20151228011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.51-0.b16.el6_6" id="oval:com.redhat.rhsa:tst:20151228013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.51-0.b16.el6_6" id="oval:com.redhat.rhsa:tst:20151228015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.51-1.b16.el7_1" id="oval:com.redhat.rhsa:tst:20151228028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151228005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.85-2.6.1.3.el6_6" id="oval:com.redhat.rhsa:tst:20151229005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.85-2.6.1.3.el6_6" id="oval:com.redhat.rhsa:tst:20151229007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.85-2.6.1.3.el6_6" id="oval:com.redhat.rhsa:tst:20151229009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.85-2.6.1.3.el6_6" id="oval:com.redhat.rhsa:tst:20151229011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.85-2.6.1.3.el6_6" id="oval:com.redhat.rhsa:tst:20151229013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.85-2.6.1.2.el7_1" id="oval:com.redhat.rhsa:tst:20151229027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151229005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-18.el7_1.2" id="oval:com.redhat.rhsa:tst:20151443023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151443003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.8.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20151455002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151455004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.8.0-1.el6_6" id="oval:com.redhat.rhsa:tst:20151455008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151455006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:31.8.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20151455014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151455008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libuser-devel is earlier than 0:0.60-7.el7_1" id="oval:com.redhat.rhsa:tst:20151483005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151483005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151483003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libuser-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151483006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151483005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libuser-python is earlier than 0:0.60-7.el7_1" id="oval:com.redhat.rhsa:tst:20151483007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151483006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151483003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libuser-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151483008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151483006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libuser is earlier than 0:0.60-7.el7_1" id="oval:com.redhat.rhsa:tst:20151483009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151483007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151483003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libuser is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151483010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151483007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.5" id="oval:com.redhat.rhsa:tst:20151507017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151507003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter-doc is earlier than 0:1.14.4-12.el7_1.1" id="oval:com.redhat.rhsa:tst:20151510005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151510003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter-devel is earlier than 0:1.14.4-12.el7_1.1" id="oval:com.redhat.rhsa:tst:20151510007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151510003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="clutter is earlier than 0:1.14.4-12.el7_1.1" id="oval:com.redhat.rhsa:tst:20151510009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150535008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151510003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.2" id="oval:com.redhat.rhsa:tst:20151513005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.2" id="oval:com.redhat.rhsa:tst:20151513007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.2" id="oval:com.redhat.rhsa:tst:20151513009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.2" id="oval:com.redhat.rhsa:tst:20151513011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.2" id="oval:com.redhat.rhsa:tst:20151513013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.2" id="oval:com.redhat.rhsa:tst:20151513015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-18.el7_1.3" id="oval:com.redhat.rhsa:tst:20151513033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151513005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.36-1.13.8.1.el5_11" id="oval:com.redhat.rhsa:tst:20151526002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.36-1.13.8.1.el5_11" id="oval:com.redhat.rhsa:tst:20151526004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.36-1.13.8.1.el5_11" id="oval:com.redhat.rhsa:tst:20151526006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.36-1.13.8.1.el5_11" id="oval:com.redhat.rhsa:tst:20151526008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.36-1.13.8.1.el5_11" id="oval:com.redhat.rhsa:tst:20151526010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.36-1.13.8.1.el6_7" id="oval:com.redhat.rhsa:tst:20151526016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.36-1.13.8.1.el6_7" id="oval:com.redhat.rhsa:tst:20151526018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.36-1.13.8.1.el6_7" id="oval:com.redhat.rhsa:tst:20151526020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.36-1.13.8.1.el6_7" id="oval:com.redhat.rhsa:tst:20151526022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.36-1.13.8.1.el6_7" id="oval:com.redhat.rhsa:tst:20151526024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.36-1.13.8.1.el7_1" id="oval:com.redhat.rhsa:tst:20151526030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.36-1.13.8.1.el7_1" id="oval:com.redhat.rhsa:tst:20151526031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.36-1.13.8.1.el7_1" id="oval:com.redhat.rhsa:tst:20151526032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.36-1.13.8.1.el7_1" id="oval:com.redhat.rhsa:tst:20151526033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.36-1.13.8.1.el7_1" id="oval:com.redhat.rhsa:tst:20151526034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151526008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.11.1.el7" id="oval:com.redhat.rhsa:tst:20151534033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151534003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-229.11.1.rt56.141.11.el7_1" id="oval:com.redhat.rhsa:tst:20151565021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151565003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.1.1-1.el5_11" id="oval:com.redhat.rhsa:tst:20151581002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151581004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.1.1-1.el6_7" id="oval:com.redhat.rhsa:tst:20151581008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151581006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.1.1-1.el7_1" id="oval:com.redhat.rhsa:tst:20151581014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151581008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.2.0-4.el5_11" id="oval:com.redhat.rhsa:tst:20151586002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151586004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.2.0-4.el6_7" id="oval:com.redhat.rhsa:tst:20151586008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151586006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.2.0-4.el7_1" id="oval:com.redhat.rhsa:tst:20151586014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151586008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lemon is earlier than 0:3.7.17-6.el7_1.1" id="oval:com.redhat.rhsa:tst:20151635005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151635003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="lemon is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151635006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite is earlier than 0:3.7.17-6.el7_1.1" id="oval:com.redhat.rhsa:tst:20151635007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151635003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151635008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite-tcl is earlier than 0:3.7.17-6.el7_1.1" id="oval:com.redhat.rhsa:tst:20151635009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151635003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite-tcl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151635010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite-devel is earlier than 0:3.7.17-6.el7_1.1" id="oval:com.redhat.rhsa:tst:20151635011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151635003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151635012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite-doc is earlier than 0:3.7.17-6.el7_1.1" id="oval:com.redhat.rhsa:tst:20151635013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151635003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sqlite-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151635014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151635009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-utils is earlier than 1:5.5-54.el6_7.1" id="oval:com.redhat.rhsa:tst:20151636005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp is earlier than 1:5.5-54.el6_7.1" id="oval:com.redhat.rhsa:tst:20151636007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-libs is earlier than 1:5.5-54.el6_7.1" id="oval:com.redhat.rhsa:tst:20151636009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-devel is earlier than 1:5.5-54.el6_7.1" id="oval:com.redhat.rhsa:tst:20151636011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-python is earlier than 1:5.5-54.el6_7.1" id="oval:com.redhat.rhsa:tst:20151636013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-perl is earlier than 1:5.5-54.el6_7.1" id="oval:com.redhat.rhsa:tst:20151636015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-perl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-utils is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-sysvinit is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-sysvinit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-agent-libs is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-agent-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-perl is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-python is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-gui is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-gui is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151636030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-libs is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-devel is earlier than 1:5.7.2-20.el7_1.1" id="oval:com.redhat.rhsa:tst:20151636032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151636005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam is earlier than 0:1.1.1-20.el6_7.1" id="oval:com.redhat.rhsa:tst:20151640005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151640005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151640003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151640006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151640005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam-devel is earlier than 0:1.1.1-20.el6_7.1" id="oval:com.redhat.rhsa:tst:20151640007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151640006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151640003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151640008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151640006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam is earlier than 0:1.1.8-12.el7_1.1" id="oval:com.redhat.rhsa:tst:20151640013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151640005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151640005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam-devel is earlier than 0:1.1.8-12.el7_1.1" id="oval:com.redhat.rhsa:tst:20151640014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151640006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151640005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-test is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-server is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-devel is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-embedded-devel is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-libs is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mariadb-bench is earlier than 1:5.5.44-1.el7_1" id="oval:com.redhat.rhsa:tst:20151665019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140702008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151665003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-devel is earlier than 0:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd is earlier than 0:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ssl is earlier than 1:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_ldap is earlier than 0:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_session is earlier than 0:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_proxy_html is earlier than 1:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-tools is earlier than 0:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="httpd-manual is earlier than 0:2.4.6-31.el7_1.1" id="oval:com.redhat.rhsa:tst:20151667019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140921011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151667003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.2.0-4.el5_11" id="oval:com.redhat.rhsa:tst:20151682002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151586004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.2.0-4.el6_7" id="oval:com.redhat.rhsa:tst:20151682008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151586006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.2.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20151682014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151682008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.2.1-1.el5_11" id="oval:com.redhat.rhsa:tst:20151693002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151693004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.2.1-1.el6_7" id="oval:com.redhat.rhsa:tst:20151693008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151693006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.2.1-1.el7_1" id="oval:com.redhat.rhsa:tst:20151693014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151693008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gdk-pixbuf2 is earlier than 0:2.24.1-6.el6_7" id="oval:com.redhat.rhsa:tst:20151694005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151694005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151694003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gdk-pixbuf2 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151694006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151694005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gdk-pixbuf2-devel is earlier than 0:2.24.1-6.el6_7" id="oval:com.redhat.rhsa:tst:20151694007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151694006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151694003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gdk-pixbuf2-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151694008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151694006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gdk-pixbuf2-devel is earlier than 0:2.28.2-5.el7_1" id="oval:com.redhat.rhsa:tst:20151694013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151694006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151694005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gdk-pixbuf2 is earlier than 0:2.28.2-5.el7_1" id="oval:com.redhat.rhsa:tst:20151694014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151694005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151694005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-taglibs-standard-javadoc is earlier than 0:1.1.1-11.7.el6_7" id="oval:com.redhat.rhsa:tst:20151695005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151695005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151695003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-taglibs-standard-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151695006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151695005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-taglibs-standard is earlier than 0:1.1.1-11.7.el6_7" id="oval:com.redhat.rhsa:tst:20151695007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151695006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151695003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-taglibs-standard is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151695008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151695006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-taglibs-standard-javadoc is earlier than 0:1.1.2-14.el7_1" id="oval:com.redhat.rhsa:tst:20151695013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151695005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151695005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="jakarta-taglibs-standard is earlier than 0:1.1.2-14.el7_1" id="oval:com.redhat.rhsa:tst:20151695014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151695006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151695005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is earlier than 0:3.14.3-23.el6_7" id="oval:com.redhat.rhsa:tst:20151699005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is earlier than 0:3.14.3-23.el6_7" id="oval:com.redhat.rhsa:tst:20151699007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is earlier than 0:3.14.3-23.el6_7" id="oval:com.redhat.rhsa:tst:20151699009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is earlier than 0:3.14.3-23.el6_7" id="oval:com.redhat.rhsa:tst:20151699011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn is earlier than 0:3.16.2.3-13.el7_1" id="oval:com.redhat.rhsa:tst:20151699017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl is earlier than 0:3.16.2.3-13.el7_1" id="oval:com.redhat.rhsa:tst:20151699018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-devel is earlier than 0:3.16.2.3-13.el7_1" id="oval:com.redhat.rhsa:tst:20151699019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-softokn-freebl-devel is earlier than 0:3.16.2.3-13.el7_1" id="oval:com.redhat.rhsa:tst:20151699020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151699005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcs is earlier than 0:0.9.139-9.el6_7.1" id="oval:com.redhat.rhsa:tst:20151700005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151700003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-clufter is earlier than 0:0.9.137-13.el7_1.4" id="oval:com.redhat.rhsa:tst:20151700011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151700005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcs is earlier than 0:0.9.137-13.el7_1.4" id="oval:com.redhat.rhsa:tst:20151700013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151700005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.4" id="oval:com.redhat.rhsa:tst:20151705005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.4" id="oval:com.redhat.rhsa:tst:20151705007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.4" id="oval:com.redhat.rhsa:tst:20151705009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.4" id="oval:com.redhat.rhsa:tst:20151705011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.4" id="oval:com.redhat.rhsa:tst:20151705013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.4" id="oval:com.redhat.rhsa:tst:20151705015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-18.el7_1.5" id="oval:com.redhat.rhsa:tst:20151705033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151705005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont is earlier than 0:1.4.5-5.el6_7" id="oval:com.redhat.rhsa:tst:20151708005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151708003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont-devel is earlier than 0:1.4.5-5.el6_7" id="oval:com.redhat.rhsa:tst:20151708007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151708003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont is earlier than 0:1.4.7-3.el7_1" id="oval:com.redhat.rhsa:tst:20151708013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151708005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libXfont-devel is earlier than 0:1.4.7-3.el7_1" id="oval:com.redhat.rhsa:tst:20151708014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141870006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151708005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice-server is earlier than 0:0.12.4-9.el7_1.1" id="oval:com.redhat.rhsa:tst:20151714005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151714003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151714006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice-server-devel is earlier than 0:0.12.4-9.el7_1.1" id="oval:com.redhat.rhsa:tst:20151714007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151714003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice-server-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151714008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice is earlier than 0:0.12.4-9.el7_1.1" id="oval:com.redhat.rhsa:tst:20151714009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151714003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151714010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="haproxy is earlier than 0:1.5.4-2.el6_7.1" id="oval:com.redhat.rhsa:tst:20151741005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141292005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151741003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="haproxy is earlier than 0:1.5.4-4.el7_1.1" id="oval:com.redhat.rhsa:tst:20151741011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141292005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151741005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-devel is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-tools is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="mod_dav_svn is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-perl is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-javahl is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-libs is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-ruby is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-gnome is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-kde is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="subversion-python is earlier than 0:1.7.14-7.el7_1.1" id="oval:com.redhat.rhsa:tst:20151742025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150166008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151742003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.14.1.el7" id="oval:com.redhat.rhsa:tst:20151778033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151778003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.14.1.rt56.141.13.el7_1" id="oval:com.redhat.rhsa:tst:20151788021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151788003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.6" id="oval:com.redhat.rhsa:tst:20151793017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151793003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.3.0-2.el5_11" id="oval:com.redhat.rhsa:tst:20151834002" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151834004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.3.0-2.el6_7" id="oval:com.redhat.rhsa:tst:20151834008" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151834006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.3.0-2.el7_1" id="oval:com.redhat.rhsa:tst:20151834014" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151834008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap is earlier than 0:2.3.43-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers is earlier than 0:2.3.43-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-overlays is earlier than 0:2.3.43-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-overlays is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-clients is earlier than 0:2.3.43-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-clients is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-devel is earlier than 0:2.3.43-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="compat-openldap is earlier than 0:2.3.43_2.2.29-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="compat-openldap is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-sql is earlier than 0:2.3.43-29.el5_11" id="oval:com.redhat.rhsa:tst:20151840014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-sql is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20151840015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-devel is earlier than 0:2.4.40-6.el6_7" id="oval:com.redhat.rhsa:tst:20151840020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151840021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap is earlier than 0:2.4.40-6.el6_7" id="oval:com.redhat.rhsa:tst:20151840022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151840023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-sql is earlier than 0:2.4.40-6.el6_7" id="oval:com.redhat.rhsa:tst:20151840024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-sql is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151840025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-clients is earlier than 0:2.4.40-6.el6_7" id="oval:com.redhat.rhsa:tst:20151840026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-clients is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151840027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers is earlier than 0:2.4.40-6.el6_7" id="oval:com.redhat.rhsa:tst:20151840028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151840029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap is earlier than 0:2.4.39-7.el7_1" id="oval:com.redhat.rhsa:tst:20151840034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-sql is earlier than 0:2.4.39-7.el7_1" id="oval:com.redhat.rhsa:tst:20151840035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-clients is earlier than 0:2.4.39-7.el7_1" id="oval:com.redhat.rhsa:tst:20151840036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-devel is earlier than 0:2.4.39-7.el7_1" id="oval:com.redhat.rhsa:tst:20151840037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers is earlier than 0:2.4.39-7.el7_1" id="oval:com.redhat.rhsa:tst:20151840038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151840009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.3.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20151852002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151852004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.3.0-1.el6_7" id="oval:com.redhat.rhsa:tst:20151852008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151852006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.3.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20151852014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151852008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice-server-devel is earlier than 0:0.12.4-9.el7_1.3" id="oval:com.redhat.rhsa:tst:20151890005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151890003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice-server is earlier than 0:0.12.4-9.el7_1.3" id="oval:com.redhat.rhsa:tst:20151890007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151890003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="spice is earlier than 0:0.12.4-9.el7_1.3" id="oval:com.redhat.rhsa:tst:20151890009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151714007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151890003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf is earlier than 0:0.2.8.4-25.el6_7" id="oval:com.redhat.rhsa:tst:20151917005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151917003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151917006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf-lite is earlier than 0:0.2.8.4-25.el6_7" id="oval:com.redhat.rhsa:tst:20151917007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151917003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf-lite is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151917008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf-devel is earlier than 0:0.2.8.4-25.el6_7" id="oval:com.redhat.rhsa:tst:20151917009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151917003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151917010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf-lite is earlier than 0:0.2.8.4-41.el7_1" id="oval:com.redhat.rhsa:tst:20151917015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151917005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf is earlier than 0:0.2.8.4-41.el7_1" id="oval:com.redhat.rhsa:tst:20151917016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151917005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwmf-devel is earlier than 0:0.2.8.4-41.el7_1" id="oval:com.redhat.rhsa:tst:20151917017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151917007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151917005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151919006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-debug is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151919012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151919016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151919018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151919022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.65-0.b17.el6_7" id="oval:com.redhat.rhsa:tst:20151919027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20151919028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.65-2.b17.el7_1" id="oval:com.redhat.rhsa:tst:20151919040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151919005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.91-2.6.2.2.el6_7" id="oval:com.redhat.rhsa:tst:20151920005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.91-2.6.2.2.el6_7" id="oval:com.redhat.rhsa:tst:20151920007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.91-2.6.2.2.el6_7" id="oval:com.redhat.rhsa:tst:20151920009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.91-2.6.2.2.el6_7" id="oval:com.redhat.rhsa:tst:20151920011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.91-2.6.2.2.el6_7" id="oval:com.redhat.rhsa:tst:20151920013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.91-2.6.2.1.el7_1" id="oval:com.redhat.rhsa:tst:20151920027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151920005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-5.el6_7.2" id="oval:com.redhat.rhsa:tst:20151930005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-5.el6_7.2" id="oval:com.redhat.rhsa:tst:20151930007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-5.el6_7.2" id="oval:com.redhat.rhsa:tst:20151930009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-5.el6_7.2" id="oval:com.redhat.rhsa:tst:20151930011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sntp is earlier than 0:4.2.6p5-19.el7_1.3" id="oval:com.redhat.rhsa:tst:20151930017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-19.el7_1.3" id="oval:com.redhat.rhsa:tst:20151930019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-19.el7_1.3" id="oval:com.redhat.rhsa:tst:20151930020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-19.el7_1.3" id="oval:com.redhat.rhsa:tst:20151930021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-19.el7_1.3" id="oval:com.redhat.rhsa:tst:20151930022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151930005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.8" id="oval:com.redhat.rhsa:tst:20151943017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151943003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-virt-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-229.20.1.rt56.141.14.el7_1" id="oval:com.redhat.rhsa:tst:20151977021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151977003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-229.20.1.el7" id="oval:com.redhat.rhsa:tst:20151978033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151978003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreswan is earlier than 0:3.15-5.el7_1" id="oval:com.redhat.rhsa:tst:20151979005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151154005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151979003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.19.1-5.el6_7" id="oval:com.redhat.rhsa:tst:20151981005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.19.1-5.el6_7" id="oval:com.redhat.rhsa:tst:20151981007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.19.1-5.el6_7" id="oval:com.redhat.rhsa:tst:20151981009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.19.1-5.el6_7" id="oval:com.redhat.rhsa:tst:20151981011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.19.1-5.el6_7" id="oval:com.redhat.rhsa:tst:20151981013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr-devel is earlier than 0:4.10.8-2.el6_7" id="oval:com.redhat.rhsa:tst:20151981015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr is earlier than 0:4.10.8-2.el6_7" id="oval:com.redhat.rhsa:tst:20151981017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.19.1-2.el6_7" id="oval:com.redhat.rhsa:tst:20151981019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.19.1-2.el6_7" id="oval:com.redhat.rhsa:tst:20151981021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr is earlier than 0:4.10.8-2.el7_1" id="oval:com.redhat.rhsa:tst:20151981027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nspr-devel is earlier than 0:4.10.8-2.el7_1" id="oval:com.redhat.rhsa:tst:20151981028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981007"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.19.1-7.el7_1.2" id="oval:com.redhat.rhsa:tst:20151981029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.19.1-7.el7_1.2" id="oval:com.redhat.rhsa:tst:20151981030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.19.1-7.el7_1.2" id="oval:com.redhat.rhsa:tst:20151981031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.19.1-7.el7_1.2" id="oval:com.redhat.rhsa:tst:20151981032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.19.1-7.el7_1.2" id="oval:com.redhat.rhsa:tst:20151981033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util-devel is earlier than 0:3.19.1-4.el7_1" id="oval:com.redhat.rhsa:tst:20151981034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-util is earlier than 0:3.19.1-4.el7_1" id="oval:com.redhat.rhsa:tst:20151981035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141073005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151981009"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.4.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20151982002" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151982004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.4.0-1.el6_7" id="oval:com.redhat.rhsa:tst:20151982008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151982006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.4.0-1.el7_1" id="oval:com.redhat.rhsa:tst:20151982014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151982008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-upgrade is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is earlier than 0:9.2.14-1.el7_1" id="oval:com.redhat.rhsa:tst:20152078025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152078003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="binutils is earlier than 0:2.23.52.0.1-55.el7" id="oval:com.redhat.rhsa:tst:20152079005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152079005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152079003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="binutils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152079006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152079005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="binutils-devel is earlier than 0:2.23.52.0.1-55.el7" id="oval:com.redhat.rhsa:tst:20152079007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152079006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152079003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="binutils-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152079008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152079006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.37-1.13.9.4.el5_11" id="oval:com.redhat.rhsa:tst:20152086002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.37-1.13.9.4.el5_11" id="oval:com.redhat.rhsa:tst:20152086004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.37-1.13.9.4.el5_11" id="oval:com.redhat.rhsa:tst:20152086006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.37-1.13.9.4.el5_11" id="oval:com.redhat.rhsa:tst:20152086008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.37-1.13.9.4.el5_11" id="oval:com.redhat.rhsa:tst:20152086010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.37-1.13.9.4.el6_7" id="oval:com.redhat.rhsa:tst:20152086016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.37-1.13.9.4.el6_7" id="oval:com.redhat.rhsa:tst:20152086018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.37-1.13.9.4.el6_7" id="oval:com.redhat.rhsa:tst:20152086020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.37-1.13.9.4.el6_7" id="oval:com.redhat.rhsa:tst:20152086022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.37-1.13.9.4.el6_7" id="oval:com.redhat.rhsa:tst:20152086024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.37-1.13.9.4.el7_1" id="oval:com.redhat.rhsa:tst:20152086030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.37-1.13.9.4.el7_1" id="oval:com.redhat.rhsa:tst:20152086031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.37-1.13.9.4.el7_1" id="oval:com.redhat.rhsa:tst:20152086032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.37-1.13.9.4.el7_1" id="oval:com.redhat.rhsa:tst:20152086033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.37-1.13.9.4.el7_1" id="oval:com.redhat.rhsa:tst:20152086034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152086008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-clients is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server-sysvinit is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam_ssh_agent_auth is earlier than 0:0.9.3-9.22.el7" id="oval:com.redhat.rhsa:tst:20152088011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-askpass is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-keycat is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-ldap is earlier than 0:6.6.1p1-22.el7" id="oval:com.redhat.rhsa:tst:20152088019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152088003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-tools is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-test is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-test is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tkinter is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tkinter is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-libs is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-debug is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-devel is earlier than 0:2.7.5-34.el7" id="oval:com.redhat.rhsa:tst:20152101017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152101003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152101018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152101011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cpio is earlier than 0:2.11-24.el7" id="oval:com.redhat.rhsa:tst:20152108005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152108005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152108003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cpio is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152108006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152108005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grep is earlier than 0:2.20-2.el7" id="oval:com.redhat.rhsa:tst:20152111005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152111005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152111003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grep is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152111006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152111005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-devel is earlier than 0:2.4.40-8.el7" id="oval:com.redhat.rhsa:tst:20152131005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152131003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers-sql is earlier than 0:2.4.40-8.el7" id="oval:com.redhat.rhsa:tst:20152131007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152131003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-clients is earlier than 0:2.4.40-8.el7" id="oval:com.redhat.rhsa:tst:20152131009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152131003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap is earlier than 0:2.4.40-8.el7" id="oval:com.redhat.rhsa:tst:20152131011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152131003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openldap-servers is earlier than 0:2.4.40-8.el7" id="oval:com.redhat.rhsa:tst:20152131013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151840003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152131003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libssh2 is earlier than 0:1.4.3-10.el7" id="oval:com.redhat.rhsa:tst:20152140005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152140005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152140003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libssh2 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152140006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152140005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libssh2-devel is earlier than 0:1.4.3-10.el7" id="oval:com.redhat.rhsa:tst:20152140007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152140006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152140003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libssh2-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152140008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152140006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libssh2-docs is earlier than 0:1.4.3-10.el7" id="oval:com.redhat.rhsa:tst:20152140009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152140007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152140003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libssh2-docs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152140010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152140007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xfsprogs is earlier than 0:3.2.2-2.el7" id="oval:com.redhat.rhsa:tst:20152151005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152151005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152151003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xfsprogs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152151006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152151005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xfsprogs-devel is earlier than 0:3.2.2-2.el7" id="oval:com.redhat.rhsa:tst:20152151007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152151006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152151003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xfsprogs-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152151008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152151006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xfsprogs-qa-devel is earlier than 0:3.2.2-2.el7" id="oval:com.redhat.rhsa:tst:20152151009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152151007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152151003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="xfsprogs-qa-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152151010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152151007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152005" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152007" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152009" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152011" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152013" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152015" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152017" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152019" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152021" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152023" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152025" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152027" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152029" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152031" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-327.el7" id="oval:com.redhat.rhsa:tst:20152152033" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152152003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-libs is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-server is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-server-ldap is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-pkinit is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-devel is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5-workstation is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="krb5 is earlier than 0:1.13.2-10.el7" id="oval:com.redhat.rhsa:tst:20152154017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150439005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152154003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file-devel is earlier than 0:5.11-31.el7" id="oval:com.redhat.rhsa:tst:20152155005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152155003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152155006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file-libs is earlier than 0:5.11-31.el7" id="oval:com.redhat.rhsa:tst:20152155007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152155003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152155008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file-static is earlier than 0:5.11-31.el7" id="oval:com.redhat.rhsa:tst:20152155009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152155003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file-static is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152155010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file is earlier than 0:5.11-31.el7" id="oval:com.redhat.rhsa:tst:20152155011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152155003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="file is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152155012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-magic is earlier than 0:5.11-31.el7" id="oval:com.redhat.rhsa:tst:20152155013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152155003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-magic is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152155014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152155009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcurl-devel is earlier than 0:7.29.0-25.el7" id="oval:com.redhat.rhsa:tst:20152159005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152159005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152159003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcurl-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152159006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152159005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcurl is earlier than 0:7.29.0-25.el7" id="oval:com.redhat.rhsa:tst:20152159007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152159006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152159003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcurl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152159008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152159006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="curl is earlier than 0:7.29.0-25.el7" id="oval:com.redhat.rhsa:tst:20152159009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152159007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152159003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="curl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152159010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152159007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-106.el7_2.1" id="oval:com.redhat.rhsa:tst:20152172017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152172003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-thor is earlier than 0:0.19.1-1.el7" id="oval:com.redhat.rhsa:tst:20152180005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152180003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-thor is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152180006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-thor-doc is earlier than 0:0.19.1-1.el7" id="oval:com.redhat.rhsa:tst:20152180007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152180003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-thor-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152180008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-bundler is earlier than 0:1.7.8-3.el7" id="oval:com.redhat.rhsa:tst:20152180009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152180004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-bundler is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152180010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-bundler-doc is earlier than 0:1.7.8-3.el7" id="oval:com.redhat.rhsa:tst:20152180011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152180004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rubygem-bundler-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152180012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152180008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="realmd is earlier than 0:0.16.1-5.el7" id="oval:com.redhat.rhsa:tst:20152184005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152184005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152184003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="realmd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152184006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152184005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="realmd-devel-docs is earlier than 0:0.16.1-5.el7" id="oval:com.redhat.rhsa:tst:20152184007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152184006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152184003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="realmd-devel-docs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152184008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152184006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-105.el7" id="oval:com.redhat.rhsa:tst:20152199017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152199003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-22.el7" id="oval:com.redhat.rhsa:tst:20152231005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152231003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sntp is earlier than 0:4.2.6p5-22.el7" id="oval:com.redhat.rhsa:tst:20152231007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152231003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-22.el7" id="oval:com.redhat.rhsa:tst:20152231009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152231003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-22.el7" id="oval:com.redhat.rhsa:tst:20152231011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152231003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-22.el7" id="oval:com.redhat.rhsa:tst:20152231013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152231003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server-minimal is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server-minimal is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server-module is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server-module is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-icons is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-icons is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-license is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-license is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server-applet is earlier than 0:1.3.1-3.el7" id="oval:com.redhat.rhsa:tst:20152233017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152233003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="tigervnc-server-applet is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152233018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152233011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rest-devel is earlier than 0:0.7.92-3.el7" id="oval:com.redhat.rhsa:tst:20152237005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152237005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152237003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rest-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152237006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152237005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rest is earlier than 0:0.7.92-3.el7" id="oval:com.redhat.rhsa:tst:20152237007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152237006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152237003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rest is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152237008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152237006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="chrony is earlier than 0:2.1.1-1.el7" id="oval:com.redhat.rhsa:tst:20152241005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152241005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152241003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="chrony is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152241006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152241005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="netcf is earlier than 0:0.2.8-1.el7" id="oval:com.redhat.rhsa:tst:20152248005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152248005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152248003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="netcf is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152248006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152248005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="netcf-devel is earlier than 0:0.2.8-1.el7" id="oval:com.redhat.rhsa:tst:20152248007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152248006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152248003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="netcf-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152248008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152248006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="netcf-libs is earlier than 0:0.2.8-1.el7" id="oval:com.redhat.rhsa:tst:20152248009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152248007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152248003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="netcf-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152248010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152248007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pcs is earlier than 0:0.9.143-15.el7" id="oval:com.redhat.rhsa:tst:20152290005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150980005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152290003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-devel is earlier than 0:1.1.0-8.git20130913.el7" id="oval:com.redhat.rhsa:tst:20152315005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-glib is earlier than 0:1.1.0-8.git20130913.el7" id="oval:com.redhat.rhsa:tst:20152315007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-glib is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager is earlier than 0:1.1.0-8.git20130913.el7" id="oval:com.redhat.rhsa:tst:20152315009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-vala is earlier than 0:1.1.0-8.git20130913.el7" id="oval:com.redhat.rhsa:tst:20152315011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-vala is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-glib-devel is earlier than 0:1.1.0-8.git20130913.el7" id="oval:com.redhat.rhsa:tst:20152315013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ModemManager-glib-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nm-connection-editor is earlier than 0:1.0.6-2.el7" id="oval:com.redhat.rhsa:tst:20152315015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nm-connection-editor is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libnm-gtk-devel is earlier than 0:1.0.6-2.el7" id="oval:com.redhat.rhsa:tst:20152315017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libnm-gtk-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libnm-gtk is earlier than 0:1.0.6-2.el7" id="oval:com.redhat.rhsa:tst:20152315019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libnm-gtk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="network-manager-applet is earlier than 0:1.0.6-2.el7" id="oval:com.redhat.rhsa:tst:20152315021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="network-manager-applet is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libreswan-gnome is earlier than 0:1.0.6-3.el7" id="oval:com.redhat.rhsa:tst:20152315023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libreswan-gnome is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libreswan is earlier than 0:1.0.6-3.el7" id="oval:com.redhat.rhsa:tst:20152315025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libreswan is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libnm-devel is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libnm-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-adsl is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-adsl is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-devel is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-wwan is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-wwan is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-glib-devel is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-glib-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libnm is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-libnm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-wifi is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-wifi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-tui is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-tui is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-team is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-team is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-config-server is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-config-server is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-glib is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-glib is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-bluetooth is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-bluetooth is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-config-routing-rules is earlier than 1:1.0.6-27.el7" id="oval:com.redhat.rhsa:tst:20152315053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152315006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="NetworkManager-config-routing-rules is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152315054" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152315029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-libs is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-utils is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-python is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-perl is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-devel is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-gui is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-sysvinit is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="net-snmp-agent-libs is earlier than 1:5.7.2-24.el7" id="oval:com.redhat.rhsa:tst:20152345021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151636012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152345003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libipa_hbac is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libipa_hbac is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-ad is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-ad is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-krb5 is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-krb5 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_simpleifp-devel is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_simpleifp-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-krb5-common is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-krb5-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-tools is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_nss_idmap is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_nss_idmap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-ldap is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-ldap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_simpleifp is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_simpleifp is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-libwbclient is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-libwbclient is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-ipa is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-ipa is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-dbus is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-dbus is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-libsss_nss_idmap is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-libsss_nss_idmap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-libwbclient-devel is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-libwbclient-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-sss is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-sss is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-proxy is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-proxy is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355036" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-common-pac is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-common-pac is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_nss_idmap-devel is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_nss_idmap-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-common is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-common is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-libipa_hbac is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-libipa_hbac is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_idmap-devel is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_idmap-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libipa_hbac-devel is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libipa_hbac-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355048" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_idmap is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsss_idmap is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-sss-murmur is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-sss-murmur is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355054" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-client is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355055" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sssd-client is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355056" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-sssdconfig is earlier than 0:1.13.0-40.el7" id="oval:com.redhat.rhsa:tst:20152355057" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152355003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-sssdconfig is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152355058" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152355031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters-devel is earlier than 0:1.0.35-21.el7" id="oval:com.redhat.rhsa:tst:20152360005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152360003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters-libs is earlier than 0:1.0.35-21.el7" id="oval:com.redhat.rhsa:tst:20152360007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152360003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="cups-filters is earlier than 0:1.0.35-21.el7" id="oval:com.redhat.rhsa:tst:20152360009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141795005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152360003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openhpi is earlier than 0:3.4.0-2.el7" id="oval:com.redhat.rhsa:tst:20152369005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152369005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152369003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openhpi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152369006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152369005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openhpi-libs is earlier than 0:3.4.0-2.el7" id="oval:com.redhat.rhsa:tst:20152369007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152369006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152369003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openhpi-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152369008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152369006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openhpi-devel is earlier than 0:3.4.0-2.el7" id="oval:com.redhat.rhsa:tst:20152369009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152369007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152369003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openhpi-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152369010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152369007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="squid is earlier than 7:3.3.8-26.el7" id="oval:com.redhat.rhsa:tst:20152378005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141147005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152378003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="squid-sysvinit is earlier than 7:3.3.8-26.el7" id="oval:com.redhat.rhsa:tst:20152378007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141147006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152378003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-cluster-libs is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-cluster-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-libs is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-nagios-plugins-metadata is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-nagios-plugins-metadata is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-cts is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-cts is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-libs-devel is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-libs-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-cli is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-cli is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-doc is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-doc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-remote is earlier than 0:1.1.13-10.el7" id="oval:com.redhat.rhsa:tst:20152383021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152383003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pacemaker-remote is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152383022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152383013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-devel is earlier than 0:1.10.14-7.el7" id="oval:com.redhat.rhsa:tst:20152393005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152393003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark-gnome is earlier than 0:1.10.14-7.el7" id="oval:com.redhat.rhsa:tst:20152393007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152393003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="wireshark is earlier than 0:1.10.14-7.el7" id="oval:com.redhat.rhsa:tst:20152393009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141676005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152393003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2 is earlier than 1:2.02-0.29.el7" id="oval:com.redhat.rhsa:tst:20152401005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152401003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152401006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-tools is earlier than 1:2.02-0.29.el7" id="oval:com.redhat.rhsa:tst:20152401007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152401003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152401008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-efi-modules is earlier than 1:2.02-0.29.el7" id="oval:com.redhat.rhsa:tst:20152401009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152401003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-efi-modules is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152401010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-efi is earlier than 1:2.02-0.29.el7" id="oval:com.redhat.rhsa:tst:20152401011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152401003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-efi is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152401012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-kvm is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152411008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-kvm is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152411014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-kvm is earlier than 0:3.10.0-327.rt56.204.el7" id="oval:com.redhat.rhsa:tst:20152411023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152411003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-kvm is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152411024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autofs is earlier than 1:5.0.7-54.el7" id="oval:com.redhat.rhsa:tst:20152417005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152417005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152417003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autofs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152417006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152417005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound-devel is earlier than 0:1.4.20-26.el7" id="oval:com.redhat.rhsa:tst:20152455005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152455003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152455006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound is earlier than 0:1.4.20-26.el7" id="oval:com.redhat.rhsa:tst:20152455007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152455003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152455008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound-python is earlier than 0:1.4.20-26.el7" id="oval:com.redhat.rhsa:tst:20152455009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152455003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound-python is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152455010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound-libs is earlier than 0:1.4.20-26.el7" id="oval:com.redhat.rhsa:tst:20152455011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152455003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="unbound-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152455012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152455008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-console-notification is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-retrace-client is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-python is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-desktop is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-dbus is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-libs is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-python is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui-devel is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-kerneloops is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-cli is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-vmcore is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-ccpp is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-upload-watch is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-tui is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-gui-libs is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-xorg is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-addon-pstoreoops is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-devel is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="abrt-python-doc is earlier than 0:2.1.11-35.el7" id="oval:com.redhat.rhsa:tst:20152505045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-gtk-devel is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel-bugzilla is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-cli is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-mailx is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083032"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-newt is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505055" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-compat is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505057" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505059" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-python is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505061" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-rhtsupport is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505063" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-devel is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505065" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083031"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-web-devel is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505067" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-logger is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505069" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083030"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-bugzilla is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505071" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-anaconda is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505073" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-gtk is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505075" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083029"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-web is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505077" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-filesystem is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505079" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-rhel-anaconda-bugzilla is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505081" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083027"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505083" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-ureport is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505085" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083026"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-reportuploader is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505087" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreport-plugin-kerneloops is earlier than 0:2.1.11-31.el7" id="oval:com.redhat.rhsa:tst:20152505089" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151083041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152505004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.4.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20152519002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151982004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.4.0-1.el6_7" id="oval:com.redhat.rhsa:tst:20152519008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20151982006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.4.0-1.el7_2" id="oval:com.redhat.rhsa:tst:20152519014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152519008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections-testframework is earlier than 0:3.2.1-22.el7_2" id="oval:com.redhat.rhsa:tst:20152522005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152522003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections-testframework is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152522006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections is earlier than 0:3.2.1-22.el7_2" id="oval:com.redhat.rhsa:tst:20152522007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152522003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152522008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections-testframework-javadoc is earlier than 0:3.2.1-22.el7_2" id="oval:com.redhat.rhsa:tst:20152522009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152522003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152522010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections-javadoc is earlier than 0:3.2.1-22.el7_2" id="oval:com.redhat.rhsa:tst:20152522011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152522003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="apache-commons-collections-javadoc is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152522012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152522008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-devel is earlier than 0:2.9.1-6.el7_2.2" id="oval:com.redhat.rhsa:tst:20152550005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152550003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-static is earlier than 0:2.9.1-6.el7_2.2" id="oval:com.redhat.rhsa:tst:20152550007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152550003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2-python is earlier than 0:2.9.1-6.el7_2.2" id="oval:com.redhat.rhsa:tst:20152550009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152550003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libxml2 is earlier than 0:2.9.1-6.el7_2.2" id="oval:com.redhat.rhsa:tst:20152550011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141655005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152550003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-327.3.1.el7" id="oval:com.redhat.rhsa:tst:20152552033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152552003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561006" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-daemon is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-daemon is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-svn is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-svn is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561010" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-all is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-all is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561012" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-cvs is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-cvs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-email is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-email is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561016" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perl-Git-SVN is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perl-Git-SVN is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561018" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-bzr is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-bzr is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561020" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-gui is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-gui is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561022" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gitweb is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gitweb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561024" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-hg is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-hg is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561026" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="emacs-git is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="emacs-git is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561028" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gitk is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gitk is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561030" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="emacs-git-el is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561031" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="emacs-git-el is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561032" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perl-Git is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561033" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perl-Git is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561034" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-p4 is earlier than 0:1.8.3.1-6.el7" id="oval:com.redhat.rhsa:tst:20152561035" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152561003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="git-p4 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152561036" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152561020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng12-devel is earlier than 0:1.2.50-7.el7_2" id="oval:com.redhat.rhsa:tst:20152595005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152595005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152595003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng12-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152595006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152595005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng12 is earlier than 0:1.2.50-7.el7_2" id="oval:com.redhat.rhsa:tst:20152595007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152595006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152595003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng12 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152595008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152595006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng-devel is earlier than 2:1.5.13-7.el7_2" id="oval:com.redhat.rhsa:tst:20152596005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152596005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152596003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152596006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152596005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng-static is earlier than 2:1.5.13-7.el7_2" id="oval:com.redhat.rhsa:tst:20152596007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152596006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152596003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng-static is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152596008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152596006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng is earlier than 2:1.5.13-7.el7_2" id="oval:com.redhat.rhsa:tst:20152596009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152596007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152596003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libpng is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152596010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152596007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-42.el6_7.1" id="oval:com.redhat.rhsa:tst:20152617005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-42.el6_7.1" id="oval:com.redhat.rhsa:tst:20152617007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-42.el6_7.1" id="oval:com.redhat.rhsa:tst:20152617009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-42.el6_7.1" id="oval:com.redhat.rhsa:tst:20152617011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-51.el7_2.1" id="oval:com.redhat.rhsa:tst:20152617017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-51.el7_2.1" id="oval:com.redhat.rhsa:tst:20152617018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-51.el7_2.1" id="oval:com.redhat.rhsa:tst:20152617019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-51.el7_2.1" id="oval:com.redhat.rhsa:tst:20152617020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-51.el7_2.1" id="oval:com.redhat.rhsa:tst:20152617021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152617005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-headless is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pdfimport is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377141"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hans is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377089"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ga is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377073"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ko is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377126"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-glade is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377133"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377064"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tn is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377119"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nb is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377156"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-xsltfilter is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377155"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-de is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377079"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-impress is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377071"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377101"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-nlpsolver is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377083"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-PT is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377095"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-core is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377049"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-el is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377158"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pa is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377105"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hant is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619043" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ml is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377154"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-eu is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377053"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ru is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377109"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ms is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619051" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152619028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ms is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152619052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152619028"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-he is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619053" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377060"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-base is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619055" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377078"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-calc is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619057" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377151"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-filters is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619059" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377135"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pyuno is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619061" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377125"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-th is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619063" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377081"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hu is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619065" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377118"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bg is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619067" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377148"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619069" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377093"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-librelogo is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619071" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619073" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377085"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619075" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377072"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kn is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619077" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377134"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619079" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-gdb-debug-support is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619081" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gu is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619083" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377106"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-or is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619085" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377108"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sv is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619087" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377143"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ss is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619089" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377087"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-te is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619091" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377076"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-writer is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619093" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377091"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nso is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619095" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377061"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk-doc is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619097" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377059"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ve is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619099" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377090"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-emailmerge is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619101" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377100"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fi is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619103" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377112"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-dz is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619105" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377142"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bn is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619107" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377137"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zu is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619109" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377149"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ogltrans is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619111" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377147"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-bsh is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619113" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377160"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619115" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377132"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-BR is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619117" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377054"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-graphicfilter is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619119" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ca is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619121" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377113"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hi is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619123" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377146"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-math is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619125" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377129"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ja is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619127" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377094"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-xh is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619129" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377152"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619131" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377153"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619133" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377107"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ta is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619135" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377058"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-en is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619137" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377130"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619139" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377124"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-st is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619141" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377123"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-draw is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619143" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377140"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-wiki-publisher is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619145" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377144"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-it is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619147" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377116"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ts is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619149" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377057"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lt is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619151" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ure is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619153" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377084"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619155" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ur is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619157" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152619081"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ur is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152619158" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152619081"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-et is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619159" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377150"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-af is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619161" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377103"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nn is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619163" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mai is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619165" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377066"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ar is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619167" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377052"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cy is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619169" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377097"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-rhino is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619171" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377117"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sk is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619173" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377096"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-da is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619175" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-as is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619177" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377136"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-uk is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619179" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ro is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619181" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377051"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cs is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619183" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377114"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-es is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619185" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377074"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-it is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619187" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377092"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-vi is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619189" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377068"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-bg is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619191" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377159"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-cs is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619193" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377099"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ru is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619195" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377086"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619197" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377055"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sv is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619199" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377088"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fi is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619201" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377065"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-opensymbol-fonts is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619203" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619205" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377048"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sk is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619207" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377115"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-zh is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619209" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377121"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ca is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619211" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377067"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ga is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619213" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377063"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-de is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619215" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-af is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619217" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377062"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-nl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619219" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377122"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619221" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377070"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619223" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377139"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-is is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619225" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lt is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619227" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377145"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lb is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619229" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377138"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sl is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619231" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377110"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ro is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619233" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377161"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pt is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619235" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377075"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-mn is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619237" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377082"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-es is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619239" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377050"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ko is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619241" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377157"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-en is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619243" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377128"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-da is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619245" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377069"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fa is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619247" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377080"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-tr is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619249" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377098"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hu is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619251" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377127"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ja is earlier than 1:4.2.8.2-11.el6_7.1" id="oval:com.redhat.rhsa:tst:20152619253" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377131"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-de is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619259" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377079"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ogltrans is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619260" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377147"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-et is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619261" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377150"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-draw is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619262" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377140"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-or is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619263" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377108"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619264" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377107"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619265" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377085"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hant is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619266" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377040"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nb is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619267" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377156"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ga is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619268" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377073"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-es is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619269" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377074"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-postgresql is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619270" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377056"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619272" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377039"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ve is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619273" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377090"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zu is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619274" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377149"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nso is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619275" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377061"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sk is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619276" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377096"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kn is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619277" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377134"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-eu is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619278" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377053"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619279" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377064"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619280" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377101"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-base is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619281" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377078"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ts is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619282" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377057"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619283" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377072"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-librelogo is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619284" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377043"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sv is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619285" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377143"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-he is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619286" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377060"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-ure is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619287" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377084"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fi is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619288" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377112"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gu is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619289" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377106"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-zh-Hans is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619290" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377089"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-tn is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619291" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377119"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-BR is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619292" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377054"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-glade is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619293" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377133"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ko is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619294" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377126"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-th is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619295" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377081"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ar is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619296" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377052"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-bsh is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619297" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377160"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pt-PT is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619298" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377095"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bg is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619299" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377148"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-bn is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619300" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377137"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-nlpsolver is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619301" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377083"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pdfimport is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619302" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377141"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-emailmerge is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619303" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377100"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-filters is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619304" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377135"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-pyuno is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619305" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377125"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-impress is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619306" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377071"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-rhino is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619307" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377117"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-da is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619308" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377037"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-fa is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619309" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377104"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-it is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619311" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377116"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-officebean is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619312" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152619132"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-officebean is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152619313" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152619132"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ru is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619314" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377109"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-as is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619315" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377136"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-dz is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619316" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377142"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-graphicfilter is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619317" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377041"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-si is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619318" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377111"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-en is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619320" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377130"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lv is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619321" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377077"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-af is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619323" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377103"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-nn is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619324" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377036"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-uk is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619325" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377047"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-st is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619326" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377123"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-gdb-debug-support is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619327" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377046"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cs is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619328" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377114"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-xh is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619329" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377152"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-el is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619330" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377158"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-wiki-publisher is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619331" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377144"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ss is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619332" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377087"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-math is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619333" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377129"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-br is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619334" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377120"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619336" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377042"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ta is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619337" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377058"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-te is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619338" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377076"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-cy is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619339" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377097"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mai is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619340" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377066"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-headless is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619341" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377044"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk-doc is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619342" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377059"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-sdk is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619343" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377124"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-sr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619344" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377153"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-calc is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619345" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377151"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ja is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619346" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377094"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619347" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377033"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-lt is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619348" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377034"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-core is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619349" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377049"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-mr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619350" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377093"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-writer is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619351" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377091"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hu is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619352" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377118"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ml is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619353" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377154"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-xsltfilter is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619354" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377155"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ca is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619355" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377113"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-gl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619356" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377132"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-hi is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619357" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377146"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-pa is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619358" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377105"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-ro is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619359" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377051"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-langpack-kk is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619360" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377102"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-nl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619362" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377122"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-mn is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619363" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377082"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ga is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619364" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377063"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pt is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619365" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377075"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ja is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619366" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377131"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-de is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619367" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377045"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sv is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619368" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377088"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-af is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619369" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377062"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-zh is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619370" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377121"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-da is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619371" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377069"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-vi is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619372" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377068"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-en is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619373" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377128"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-bg is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619374" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377159"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fi is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619375" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377065"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-tr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619376" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377098"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fa is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619377" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377080"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619378" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377070"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619379" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377048"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-is is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619380" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377038"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-cs is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619381" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377099"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ro is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619382" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377161"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lb is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619383" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377138"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-lt is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619384" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377145"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sk is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619385" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377115"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ru is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619386" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377086"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-fr is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619387" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377139"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ca is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619388" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377067"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-sl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619389" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377110"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libreoffice-opensymbol-fonts is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619390" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377035"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-es is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619391" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377050"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-ko is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619392" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377157"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-hu is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619393" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377127"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-pl is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619394" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377055"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="autocorr-it is earlier than 1:4.3.7.2-5.el7_2.1" id="oval:com.redhat.rhsa:tst:20152619395" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150377092"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152619005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2 is earlier than 1:2.02-0.33.el7_2" id="oval:com.redhat.rhsa:tst:20152623005" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152623003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-tools is earlier than 1:2.02-0.33.el7_2" id="oval:com.redhat.rhsa:tst:20152623007" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152623003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-efi is earlier than 1:2.02-0.33.el7_2" id="oval:com.redhat.rhsa:tst:20152623009" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152623003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="grub2-efi-modules is earlier than 1:2.02-0.33.el7_2" id="oval:com.redhat.rhsa:tst:20152623011" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152401007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152623003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.5" id="oval:com.redhat.rhsa:tst:20152655005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.5" id="oval:com.redhat.rhsa:tst:20152655007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.5" id="oval:com.redhat.rhsa:tst:20152655009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.5" id="oval:com.redhat.rhsa:tst:20152655011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.5" id="oval:com.redhat.rhsa:tst:20152655013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.5" id="oval:com.redhat.rhsa:tst:20152655015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-utils is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-utils is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152655023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-devel is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152655028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-libs is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152655030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11 is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11 is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20152655032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655035" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655037" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-29.el7_2.1" id="oval:com.redhat.rhsa:tst:20152655041" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152655005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.5.0-2.el5_11" id="oval:com.redhat.rhsa:tst:20152657002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152657004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.5.0-2.el6_7" id="oval:com.redhat.rhsa:tst:20152657008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152657006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.5.0-3.el7_2" id="oval:com.redhat.rhsa:tst:20152657014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20152657008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.5.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20160001002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160001004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.5.0-1.el6_7" id="oval:com.redhat.rhsa:tst:20160001008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160001006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.5.0-1.el7_2" id="oval:com.redhat.rhsa:tst:20160001014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160001008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpcbind is earlier than 0:0.2.0-11.el6_7" id="oval:com.redhat.rhsa:tst:20160005005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160005005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160005003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpcbind is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160005006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160005005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="rpcbind is earlier than 0:0.2.0-33.el7_2" id="oval:com.redhat.rhsa:tst:20160005011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160005005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160005005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006005" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867021"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006007" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-modules is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006009" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common-libs is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006011" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006012" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ctdb is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006013" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ctdb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common-tools is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006015" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006016" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006017" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867022"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc-libs is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006019" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-vfs-glusterfs is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006021" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-devel is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006023" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-libs is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006025" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-libs is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006027" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-test-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006028" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-krb5-locator is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006029" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006031" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-dc is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006033" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ctdb-tests is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006035" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ctdb-tests is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006036" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006020"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-winbind-clients is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006037" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006039" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867023"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient-devel is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006041" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client-libs is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006043" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-client-libs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006044" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006024"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ctdb-devel is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006045" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ctdb-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160006046" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160006025"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libwbclient is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006047" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libsmbclient-devel is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006049" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-python is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006051" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-devel is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006053" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-common is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006055" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="samba-pidl is earlier than 0:4.2.3-11.el7_2" id="oval:com.redhat.rhsa:tst:20160006057" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140867013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160006003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.19.1-8.el6_7" id="oval:com.redhat.rhsa:tst:20160007005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.19.1-8.el6_7" id="oval:com.redhat.rhsa:tst:20160007007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.19.1-8.el6_7" id="oval:com.redhat.rhsa:tst:20160007009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.19.1-8.el6_7" id="oval:com.redhat.rhsa:tst:20160007011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.19.1-8.el6_7" id="oval:com.redhat.rhsa:tst:20160007013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-devel is earlier than 0:3.19.1-19.el7_2" id="oval:com.redhat.rhsa:tst:20160007019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-pkcs11-devel is earlier than 0:3.19.1-19.el7_2" id="oval:com.redhat.rhsa:tst:20160007020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-tools is earlier than 0:3.19.1-19.el7_2" id="oval:com.redhat.rhsa:tst:20160007021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss-sysinit is earlier than 0:3.19.1-19.el7_2" id="oval:com.redhat.rhsa:tst:20160007022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nss is earlier than 0:3.19.1-19.el7_2" id="oval:com.redhat.rhsa:tst:20160007023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140916002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160007005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-42.el6_7.2" id="oval:com.redhat.rhsa:tst:20160008005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-42.el6_7.2" id="oval:com.redhat.rhsa:tst:20160008007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-42.el6_7.2" id="oval:com.redhat.rhsa:tst:20160008009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-42.el6_7.2" id="oval:com.redhat.rhsa:tst:20160008011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-51.el7_2.2" id="oval:com.redhat.rhsa:tst:20160008017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-51.el7_2.2" id="oval:com.redhat.rhsa:tst:20160008018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-51.el7_2.2" id="oval:com.redhat.rhsa:tst:20160008019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-51.el7_2.2" id="oval:com.redhat.rhsa:tst:20160008020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-51.el7_2.2" id="oval:com.redhat.rhsa:tst:20160008022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160008005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pyldb is earlier than 0:1.1.13-3.el6_7.1" id="oval:com.redhat.rhsa:tst:20160009005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pyldb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160009006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ldb-tools is earlier than 0:1.1.13-3.el6_7.1" id="oval:com.redhat.rhsa:tst:20160009007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ldb-tools is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160009008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libldb is earlier than 0:1.1.13-3.el6_7.1" id="oval:com.redhat.rhsa:tst:20160009009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libldb is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160009010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pyldb-devel is earlier than 0:1.1.13-3.el6_7.1" id="oval:com.redhat.rhsa:tst:20160009011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pyldb-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160009012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libldb-devel is earlier than 0:1.1.13-3.el6_7.1" id="oval:com.redhat.rhsa:tst:20160009013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libldb-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160009014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libldb is earlier than 0:1.1.20-1.el7_2.2" id="oval:com.redhat.rhsa:tst:20160009019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ldb-tools is earlier than 0:1.1.20-1.el7_2.2" id="oval:com.redhat.rhsa:tst:20160009020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libldb-devel is earlier than 0:1.1.20-1.el7_2.2" id="oval:com.redhat.rhsa:tst:20160009021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pyldb is earlier than 0:1.1.20-1.el7_2.2" id="oval:com.redhat.rhsa:tst:20160009022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pyldb-devel is earlier than 0:1.1.20-1.el7_2.2" id="oval:com.redhat.rhsa:tst:20160009023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160009008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160009005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls is earlier than 0:2.8.5-19.el6_7" id="oval:com.redhat.rhsa:tst:20160012005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-devel is earlier than 0:2.8.5-19.el6_7" id="oval:com.redhat.rhsa:tst:20160012007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-utils is earlier than 0:2.8.5-19.el6_7" id="oval:com.redhat.rhsa:tst:20160012009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-guile is earlier than 0:2.8.5-19.el6_7" id="oval:com.redhat.rhsa:tst:20160012011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160012008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-guile is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160012012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160012008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-dane is earlier than 0:3.3.8-14.el7_2" id="oval:com.redhat.rhsa:tst:20160012017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls is earlier than 0:3.3.8-14.el7_2" id="oval:com.redhat.rhsa:tst:20160012019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-c++ is earlier than 0:3.3.8-14.el7_2" id="oval:com.redhat.rhsa:tst:20160012020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-utils is earlier than 0:3.3.8-14.el7_2" id="oval:com.redhat.rhsa:tst:20160012022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="gnutls-devel is earlier than 0:3.3.8-14.el7_2" id="oval:com.redhat.rhsa:tst:20160012023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140684009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160012005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-ldap is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-keycat is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-askpass is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-server-sysvinit is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="pam_ssh_agent_auth is earlier than 0:0.9.3-9.23.el7_2" id="oval:com.redhat.rhsa:tst:20160043015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh-clients is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssh is earlier than 0:6.6.1p1-23.el7_2" id="oval:com.redhat.rhsa:tst:20160043019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150425005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160043003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160049010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility-debug is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160049016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160049010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-src is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-demo is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-devel is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20151919016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.71-2.b15.el7_2" id="oval:com.redhat.rhsa:tst:20160049031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150809009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160049003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.95-2.6.4.1.el5_11" id="oval:com.redhat.rhsa:tst:20160054002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20160054003" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.95-2.6.4.1.el5_11" id="oval:com.redhat.rhsa:tst:20160054004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20160054005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.95-2.6.4.1.el5_11" id="oval:com.redhat.rhsa:tst:20160054006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20160054007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.95-2.6.4.1.el5_11" id="oval:com.redhat.rhsa:tst:20160054008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20160054009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.95-2.6.4.1.el5_11" id="oval:com.redhat.rhsa:tst:20160054010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease key" id="oval:com.redhat.rhsa:tst:20160054011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140741002"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-src is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-devel is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-headless is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-demo is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.95-2.6.4.0.el7_2" id="oval:com.redhat.rhsa:tst:20160054028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140675009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160054006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-5.el6_7.4" id="oval:com.redhat.rhsa:tst:20160063005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-5.el6_7.4" id="oval:com.redhat.rhsa:tst:20160063007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-5.el6_7.4" id="oval:com.redhat.rhsa:tst:20160063009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-5.el6_7.4" id="oval:com.redhat.rhsa:tst:20160063011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntpdate is earlier than 0:4.2.6p5-22.el7_2.1" id="oval:com.redhat.rhsa:tst:20160063017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sntp is earlier than 0:4.2.6p5-22.el7_2.1" id="oval:com.redhat.rhsa:tst:20160063018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp is earlier than 0:4.2.6p5-22.el7_2.1" id="oval:com.redhat.rhsa:tst:20160063020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-doc is earlier than 0:4.2.6p5-22.el7_2.1" id="oval:com.redhat.rhsa:tst:20160063021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="ntp-perl is earlier than 0:4.2.6p5-22.el7_2.1" id="oval:com.redhat.rhsa:tst:20160063022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20142024009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160063005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-327.4.5.el7" id="oval:com.redhat.rhsa:tst:20160064033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160064003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-kvm is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-kvm is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-kvm is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-327.4.5.rt56.206.el7_2" id="oval:com.redhat.rhsa:tst:20160065023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160065003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.38-1.13.10.0.el5_11" id="oval:com.redhat.rhsa:tst:20160067002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.38-1.13.10.0.el5_11" id="oval:com.redhat.rhsa:tst:20160067004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.38-1.13.10.0.el5_11" id="oval:com.redhat.rhsa:tst:20160067006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.38-1.13.10.0.el5_11" id="oval:com.redhat.rhsa:tst:20160067008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.38-1.13.10.0.el5_11" id="oval:com.redhat.rhsa:tst:20160067010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.38-1.13.10.0.el6_7" id="oval:com.redhat.rhsa:tst:20160067016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.38-1.13.10.0.el6_7" id="oval:com.redhat.rhsa:tst:20160067018" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.38-1.13.10.0.el6_7" id="oval:com.redhat.rhsa:tst:20160067020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.38-1.13.10.0.el6_7" id="oval:com.redhat.rhsa:tst:20160067022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.38-1.13.10.0.el6_7" id="oval:com.redhat.rhsa:tst:20160067024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-src is earlier than 1:1.6.0.38-1.13.10.0.el7_2" id="oval:com.redhat.rhsa:tst:20160067030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-demo is earlier than 1:1.6.0.38-1.13.10.0.el7_2" id="oval:com.redhat.rhsa:tst:20160067031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk is earlier than 1:1.6.0.38-1.13.10.0.el7_2" id="oval:com.redhat.rhsa:tst:20160067032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-devel is earlier than 1:1.6.0.38-1.13.10.0.el7_2" id="oval:com.redhat.rhsa:tst:20160067033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.38-1.13.10.0.el7_2" id="oval:com.redhat.rhsa:tst:20160067034" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140685007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160067008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.6.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20160071002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160071004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.6.0-1.el6_7" id="oval:com.redhat.rhsa:tst:20160071008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160071006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.6.0-1.el7_2" id="oval:com.redhat.rhsa:tst:20160071014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160071008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073004" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libbind-devel is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073012" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="caching-nameserver is earlier than 30:9.3.6-25.P1.el5_11.6" id="oval:com.redhat.rhsa:tst:20160073016" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.8.2-0.37.rc1.el6_7.6" id="oval:com.redhat.rhsa:tst:20160073022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.8.2-0.37.rc1.el6_7.6" id="oval:com.redhat.rhsa:tst:20160073024" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.8.2-0.37.rc1.el6_7.6" id="oval:com.redhat.rhsa:tst:20160073026" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.8.2-0.37.rc1.el6_7.6" id="oval:com.redhat.rhsa:tst:20160073028" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.8.2-0.37.rc1.el6_7.6" id="oval:com.redhat.rhsa:tst:20160073030" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.8.2-0.37.rc1.el6_7.6" id="oval:com.redhat.rhsa:tst:20160073032" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073038" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-devel is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073039" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-devel is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073040" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-lite-devel is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073042" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073044" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-chroot is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073045" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073046" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-sdb-chroot is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073047" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-utils is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073049" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-utils is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073050" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11-libs is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073052" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-pkcs11 is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073054" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152655015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-libs-lite is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073056" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="bind-license is earlier than 32:9.9.4-29.el7_2.2" id="oval:com.redhat.rhsa:tst:20160073058" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141984014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160073008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-devel is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083005" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083007" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-tools is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083009" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-img is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083011" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm-common is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083013" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="libcacard-tools is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083015" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="qemu-kvm is earlier than 10:1.5.3-105.el7_2.3" id="oval:com.redhat.rhsa:tst:20160083017" version="603">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140704005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160083003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-headers is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-static is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-common is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-utils is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="nscd is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110004"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="glibc-devel is earlier than 0:2.17-106.el7_2.4" id="oval:com.redhat.rhsa:tst:20160176017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141110003"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160176003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-abi-whitelists is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678019"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-doc is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678018"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="python-perf is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="perf is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump-devel is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678017"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug-devel is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-headers is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-debug is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-devel is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-kdump is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678016"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-bootwrapper is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185027" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185029" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs-devel is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185031" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-tools-libs is earlier than 0:3.10.0-327.10.1.el7" id="oval:com.redhat.rhsa:tst:20160185033" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140678008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160185003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sos is earlier than 0:3.2-35.el7_2.3" id="oval:com.redhat.rhsa:tst:20160188005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160188005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160188003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="sos is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160188006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160188005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit is earlier than 0:0.112-6.el7_2" id="oval:com.redhat.rhsa:tst:20160189005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160189005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160189003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160189006" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160189005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-devel is earlier than 0:0.112-6.el7_2" id="oval:com.redhat.rhsa:tst:20160189007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160189006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160189003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-devel is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160189008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160189006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-docs is earlier than 0:0.112-6.el7_2" id="oval:com.redhat.rhsa:tst:20160189009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160189007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160189003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="polkit-docs is signed with Red Hat redhatrelease2 key" id="oval:com.redhat.rhsa:tst:20160189010" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20160189007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20140675001"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.6.1-1.el5_11" id="oval:com.redhat.rhsa:tst:20160197002" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160197004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.6.1-1.el6_7" id="oval:com.redhat.rhsa:tst:20160197008" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160197006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="firefox is earlier than 0:38.6.1-1.el7_2" id="oval:com.redhat.rhsa:tst:20160197014" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140741002"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160197008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-devel is earlier than 0:1.3.4.0-26.el7_2" id="oval:com.redhat.rhsa:tst:20160204005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160204003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base is earlier than 0:1.3.4.0-26.el7_2" id="oval:com.redhat.rhsa:tst:20160204007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160204003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="389-ds-base-libs is earlier than 0:1.3.4.0-26.el7_2" id="oval:com.redhat.rhsa:tst:20160204009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20141031006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160204003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-doc is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-kvm is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-devel is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-kvm is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-devel is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-debug-kvm is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20152411006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt-trace-devel is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="kernel-rt is earlier than 0:3.10.0-327.10.1.rt56.211.el7_2" id="oval:com.redhat.rhsa:tst:20160212023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150727005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160212003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.6.0-1.el5_11" id="oval:com.redhat.rhsa:tst:20160258002" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160071004"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.6.0-1.el6_7" id="oval:com.redhat.rhsa:tst:20160258008" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160071006"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="thunderbird is earlier than 0:38.6.0-1.el7_2" id="oval:com.redhat.rhsa:tst:20160258014" version="602">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150642005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160071008"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 0:1.0.1e-42.el6_7.4" id="oval:com.redhat.rhsa:tst:20160301005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 0:1.0.1e-42.el6_7.4" id="oval:com.redhat.rhsa:tst:20160301007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 0:1.0.1e-42.el6_7.4" id="oval:com.redhat.rhsa:tst:20160301009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 0:1.0.1e-42.el6_7.4" id="oval:com.redhat.rhsa:tst:20160301011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-libs is earlier than 1:1.0.1e-51.el7_2.4" id="oval:com.redhat.rhsa:tst:20160301017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-perl is earlier than 1:1.0.1e-51.el7_2.4" id="oval:com.redhat.rhsa:tst:20160301019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-static is earlier than 1:1.0.1e-51.el7_2.4" id="oval:com.redhat.rhsa:tst:20160301020" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl is earlier than 1:1.0.1e-51.el7_2.4" id="oval:com.redhat.rhsa:tst:20160301021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="openssl-devel is earlier than 1:1.0.1e-51.el7_2.4" id="oval:com.redhat.rhsa:tst:20160301022" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20140679006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160301005"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346005" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750005"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-pltcl is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346007" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750013"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plpython is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346009" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750006"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-server is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346011" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750007"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-test is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346013" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750014"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-plperl is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346015" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750008"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-libs is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346017" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750012"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-docs is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346019" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750010"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-devel is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346021" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750009"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-contrib is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346023" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750011"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
<red-def:rpminfo_test check="at least one" comment="postgresql-upgrade is earlier than 0:9.2.15-1.el7_2" id="oval:com.redhat.rhsa:tst:20160346025" version="601">
<red-def:object object_ref="oval:com.redhat.rhsa:obj:20150750015"/>
<red-def:state state_ref="oval:com.redhat.rhsa:ste:20160346003"/>
</red-def:rpminfo_test>
</tests>
<objects>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675001" version="601">
<red-def:name>redhat-release-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675002" version="601">
<red-def:name>redhat-release-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675003" version="601">
<red-def:name>redhat-release-workstation</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675004" version="601">
<red-def:name>redhat-release-computenode</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675005" version="601">
<red-def:name>java-1.7.0-openjdk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675006" version="601">
<red-def:name>java-1.7.0-openjdk-src</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675007" version="601">
<red-def:name>java-1.7.0-openjdk-demo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675008" version="601">
<red-def:name>java-1.7.0-openjdk-headless</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675009" version="601">
<red-def:name>java-1.7.0-openjdk-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675010" version="601">
<red-def:name>java-1.7.0-openjdk-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140675011" version="601">
<red-def:name>java-1.7.0-openjdk-accessibility</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678005" version="601">
<red-def:name>kernel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678006" version="601">
<red-def:name>kernel-headers</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678007" version="601">
<red-def:name>kernel-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678008" version="601">
<red-def:name>kernel-tools-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678009" version="601">
<red-def:name>perf</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678010" version="601">
<red-def:name>python-perf</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678011" version="601">
<red-def:name>kernel-debug-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678012" version="601">
<red-def:name>kernel-tools-libs-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678013" version="601">
<red-def:name>kernel-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678014" version="601">
<red-def:name>kernel-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678015" version="601">
<red-def:name>kernel-bootwrapper</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678016" version="601">
<red-def:name>kernel-kdump</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678017" version="601">
<red-def:name>kernel-kdump-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678018" version="601">
<red-def:name>kernel-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140678019" version="601">
<red-def:name>kernel-abi-whitelists</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140679005" version="601">
<red-def:name>openssl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140679006" version="601">
<red-def:name>openssl-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140679007" version="601">
<red-def:name>openssl-perl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140679008" version="601">
<red-def:name>openssl-static</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140679009" version="601">
<red-def:name>openssl-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140680005" version="601">
<red-def:name>openssl098e</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140684005" version="601">
<red-def:name>gnutls</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140684006" version="601">
<red-def:name>gnutls-dane</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140684007" version="601">
<red-def:name>gnutls-c++</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140684008" version="601">
<red-def:name>gnutls-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140684009" version="601">
<red-def:name>gnutls-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140685005" version="601">
<red-def:name>java-1.6.0-openjdk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140685006" version="601">
<red-def:name>java-1.6.0-openjdk-demo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140685007" version="601">
<red-def:name>java-1.6.0-openjdk-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140685008" version="601">
<red-def:name>java-1.6.0-openjdk-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140685009" version="601">
<red-def:name>java-1.6.0-openjdk-src</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686005" version="601">
<red-def:name>tomcat</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686006" version="601">
<red-def:name>tomcat-webapps</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686007" version="601">
<red-def:name>tomcat-lib</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686008" version="601">
<red-def:name>tomcat-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686009" version="601">
<red-def:name>tomcat-docs-webapp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686010" version="601">
<red-def:name>tomcat-admin-webapps</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686011" version="601">
<red-def:name>tomcat-jsp-2.2-api</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686012" version="601">
<red-def:name>tomcat-servlet-3.0-api</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686013" version="601">
<red-def:name>tomcat-jsvc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140686014" version="601">
<red-def:name>tomcat-el-2.2-api</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140687005" version="601">
<red-def:name>libtasn1</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140687006" version="601">
<red-def:name>libtasn1-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140687007" version="601">
<red-def:name>libtasn1-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702005" version="602">
<red-def:name>mariadb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702006" version="602">
<red-def:name>mariadb-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702007" version="602">
<red-def:name>mariadb-embedded-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702008" version="602">
<red-def:name>mariadb-bench</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702009" version="602">
<red-def:name>mariadb-embedded</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702010" version="602">
<red-def:name>mariadb-test</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702011" version="602">
<red-def:name>mariadb-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140702012" version="602">
<red-def:name>mariadb-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140703005" version="601">
<red-def:name>json-c</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140703006" version="601">
<red-def:name>json-c-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140703007" version="601">
<red-def:name>json-c-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704005" version="601">
<red-def:name>qemu-kvm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704006" version="601">
<red-def:name>libcacard</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704007" version="601">
<red-def:name>libcacard-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704008" version="601">
<red-def:name>qemu-guest-agent</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704009" version="601">
<red-def:name>qemu-img</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704010" version="601">
<red-def:name>libcacard-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704011" version="601">
<red-def:name>qemu-kvm-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140704012" version="601">
<red-def:name>qemu-kvm-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140741001" version="601">
<red-def:name>redhat-release</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140741002" version="601">
<red-def:name>firefox</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140741007" version="601">
<red-def:name>xulrunner</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140741008" version="601">
<red-def:name>xulrunner-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140790005" version="601">
<red-def:name>dovecot</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140790006" version="601">
<red-def:name>dovecot-pigeonhole</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140790007" version="601">
<red-def:name>dovecot-mysql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140790008" version="601">
<red-def:name>dovecot-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140790009" version="601">
<red-def:name>dovecot-pgsql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140861005" version="601">
<red-def:name>lzo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140861006" version="601">
<red-def:name>lzo-minilzo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140861007" version="601">
<red-def:name>lzo-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867005" version="601">
<red-def:name>samba</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867006" version="601">
<red-def:name>libwbclient-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867007" version="601">
<red-def:name>samba-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867008" version="601">
<red-def:name>samba-winbind-krb5-locator</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867009" version="601">
<red-def:name>samba-dc-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867010" version="601">
<red-def:name>samba-winbind-modules</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867011" version="601">
<red-def:name>samba-winbind-clients</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867012" version="601">
<red-def:name>samba-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867013" version="601">
<red-def:name>samba-pidl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867014" version="601">
<red-def:name>samba-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867015" version="601">
<red-def:name>libwbclient</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867016" version="601">
<red-def:name>samba-dc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867017" version="601">
<red-def:name>samba-test-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867018" version="601">
<red-def:name>libsmbclient-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867019" version="601">
<red-def:name>samba-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867020" version="601">
<red-def:name>samba-winbind</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867021" version="601">
<red-def:name>libsmbclient</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867022" version="601">
<red-def:name>samba-test</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867023" version="601">
<red-def:name>samba-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140867024" version="601">
<red-def:name>samba-vfs-glusterfs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914005" version="602">
<red-def:name>libvirt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914006" version="602">
<red-def:name>libvirt-daemon-config-network</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914007" version="602">
<red-def:name>libvirt-daemon-driver-network</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914008" version="602">
<red-def:name>libvirt-daemon-driver-secret</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914009" version="602">
<red-def:name>libvirt-login-shell</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914010" version="602">
<red-def:name>libvirt-daemon</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914011" version="602">
<red-def:name>libvirt-daemon-driver-storage</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914012" version="602">
<red-def:name>libvirt-daemon-driver-nodedev</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914013" version="602">
<red-def:name>libvirt-daemon-config-nwfilter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914014" version="602">
<red-def:name>libvirt-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914015" version="602">
<red-def:name>libvirt-daemon-driver-lxc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914016" version="602">
<red-def:name>libvirt-daemon-driver-interface</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914017" version="602">
<red-def:name>libvirt-daemon-lxc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914018" version="602">
<red-def:name>libvirt-docs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914019" version="602">
<red-def:name>libvirt-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914020" version="602">
<red-def:name>libvirt-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914021" version="602">
<red-def:name>libvirt-daemon-driver-nwfilter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914022" version="602">
<red-def:name>libvirt-daemon-driver-qemu</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914023" version="602">
<red-def:name>libvirt-lock-sanlock</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140914024" version="602">
<red-def:name>libvirt-daemon-kvm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916002" version="601">
<red-def:name>nss</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916003" version="601">
<red-def:name>nss-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916004" version="601">
<red-def:name>nss-pkcs11-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916005" version="601">
<red-def:name>nss-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916006" version="601">
<red-def:name>nspr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916007" version="601">
<red-def:name>nspr-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140916012" version="601">
<red-def:name>nss-sysinit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921005" version="601">
<red-def:name>httpd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921006" version="601">
<red-def:name>mod_proxy_html</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921007" version="601">
<red-def:name>mod_ldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921008" version="601">
<red-def:name>httpd-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921009" version="601">
<red-def:name>httpd-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921010" version="601">
<red-def:name>mod_session</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921011" version="601">
<red-def:name>httpd-manual</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20140921012" version="601">
<red-def:name>mod_ssl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011005" version="602">
<red-def:name>resteasy-base</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011006" version="602">
<red-def:name>resteasy-base-tjws</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011007" version="602">
<red-def:name>resteasy-base-atom-provider</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011008" version="602">
<red-def:name>resteasy-base-jaxrs-all</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011009" version="602">
<red-def:name>resteasy-base-jettison-provider</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011010" version="602">
<red-def:name>resteasy-base-providers-pom</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011011" version="602">
<red-def:name>resteasy-base-jackson-provider</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011012" version="602">
<red-def:name>resteasy-base-jaxrs-api</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011013" version="602">
<red-def:name>resteasy-base-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011014" version="602">
<red-def:name>resteasy-base-jaxrs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141011015" version="602">
<red-def:name>resteasy-base-jaxb-provider</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013005" version="601">
<red-def:name>php</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013006" version="601">
<red-def:name>php-pdo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013007" version="601">
<red-def:name>php-bcmath</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013008" version="601">
<red-def:name>php-intl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013009" version="601">
<red-def:name>php-soap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013010" version="601">
<red-def:name>php-ldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013011" version="601">
<red-def:name>php-pgsql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013012" version="601">
<red-def:name>php-xml</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013013" version="601">
<red-def:name>php-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013014" version="601">
<red-def:name>php-gd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013015" version="601">
<red-def:name>php-odbc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013016" version="601">
<red-def:name>php-mysqlnd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013017" version="601">
<red-def:name>php-process</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013018" version="601">
<red-def:name>php-embedded</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013019" version="601">
<red-def:name>php-recode</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013020" version="601">
<red-def:name>php-snmp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013021" version="601">
<red-def:name>php-xmlrpc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013022" version="601">
<red-def:name>php-cli</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013023" version="601">
<red-def:name>php-pspell</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013024" version="601">
<red-def:name>php-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013025" version="601">
<red-def:name>php-dba</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013026" version="601">
<red-def:name>php-mbstring</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013027" version="601">
<red-def:name>php-mysql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013028" version="601">
<red-def:name>php-enchant</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141013029" version="601">
<red-def:name>php-fpm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141031005" version="601">
<red-def:name>389-ds-base</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141031006" version="601">
<red-def:name>389-ds-base-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141031007" version="601">
<red-def:name>389-ds-base-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141073005" version="601">
<red-def:name>nss-util</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141073006" version="601">
<red-def:name>nss-util-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141073007" version="601">
<red-def:name>nss-softokn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141073008" version="601">
<red-def:name>nss-softokn-freebl-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141073009" version="601">
<red-def:name>nss-softokn-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141073010" version="601">
<red-def:name>nss-softokn-freebl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141091005" version="601">
<red-def:name>mod_wsgi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110002" version="601">
<red-def:name>glibc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110003" version="601">
<red-def:name>glibc-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110004" version="601">
<red-def:name>nscd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110005" version="601">
<red-def:name>glibc-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110006" version="601">
<red-def:name>glibc-headers</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110007" version="601">
<red-def:name>glibc-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141110012" version="601">
<red-def:name>glibc-static</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141146005" version="601">
<red-def:name>httpcomponents-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141146006" version="601">
<red-def:name>httpcomponents-client-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141147005" version="601">
<red-def:name>squid</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141147006" version="601">
<red-def:name>squid-sysvinit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141166002" version="601">
<red-def:name>jakarta-commons-httpclient</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141166003" version="601">
<red-def:name>jakarta-commons-httpclient-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141166004" version="601">
<red-def:name>jakarta-commons-httpclient-manual</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141166005" version="601">
<red-def:name>jakarta-commons-httpclient-demo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141172002" version="601">
<red-def:name>procmail</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141292005" version="601">
<red-def:name>haproxy</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141293005" version="601">
<red-def:name>bash</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141293006" version="601">
<red-def:name>bash-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319005" version="601">
<red-def:name>xerces-j2</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319006" version="601">
<red-def:name>xerces-j2-demo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319007" version="601">
<red-def:name>xerces-j2-javadoc-apis</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319008" version="601">
<red-def:name>xerces-j2-scripts</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319009" version="601">
<red-def:name>xerces-j2-javadoc-xni</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319010" version="601">
<red-def:name>xerces-j2-javadoc-impl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319011" version="601">
<red-def:name>xerces-j2-javadoc-other</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141319012" version="601">
<red-def:name>xerces-j2-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141359005" version="601">
<red-def:name>polkit-qt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141359006" version="601">
<red-def:name>polkit-qt-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141359007" version="601">
<red-def:name>polkit-qt-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397005" version="601">
<red-def:name>rsyslog</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397006" version="601">
<red-def:name>rsyslog-mmaudit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397007" version="601">
<red-def:name>rsyslog-crypto</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397008" version="601">
<red-def:name>rsyslog-relp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397009" version="601">
<red-def:name>rsyslog-mysql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397010" version="601">
<red-def:name>rsyslog-libdbi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397011" version="601">
<red-def:name>rsyslog-mmjsonparse</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397012" version="601">
<red-def:name>rsyslog-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397013" version="601">
<red-def:name>rsyslog-elasticsearch</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397014" version="601">
<red-def:name>rsyslog-mmsnmptrapd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397015" version="601">
<red-def:name>rsyslog-udpspoof</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397016" version="601">
<red-def:name>rsyslog-gssapi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397017" version="601">
<red-def:name>rsyslog-pgsql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397018" version="601">
<red-def:name>rsyslog-mmnormalize</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397019" version="601">
<red-def:name>rsyslog-gnutls</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141397020" version="601">
<red-def:name>rsyslog-snmp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141655005" version="601">
<red-def:name>libxml2</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141655006" version="601">
<red-def:name>libxml2-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141655007" version="601">
<red-def:name>libxml2-static</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141655008" version="601">
<red-def:name>libxml2-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141676005" version="601">
<red-def:name>wireshark</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141676006" version="601">
<red-def:name>wireshark-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141676007" version="601">
<red-def:name>wireshark-gnome</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141764005" version="601">
<red-def:name>wget</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141767030" version="601">
<red-def:name>php-tidy</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141767031" version="601">
<red-def:name>php-imap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141767032" version="601">
<red-def:name>php-zts</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141795005" version="601">
<red-def:name>cups-filters</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141795006" version="601">
<red-def:name>cups-filters-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141795007" version="601">
<red-def:name>cups-filters-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141801005" version="601">
<red-def:name>shim</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141801006" version="601">
<red-def:name>mokutil</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141801007" version="601">
<red-def:name>shim-unsigned</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141801008" version="601">
<red-def:name>shim-signed</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141826005" version="601">
<red-def:name>libvncserver</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141826006" version="601">
<red-def:name>libvncserver-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827005" version="601">
<red-def:name>kdenetwork</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827006" version="601">
<red-def:name>kdenetwork-kget-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827007" version="601">
<red-def:name>kdenetwork-krfb-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827008" version="601">
<red-def:name>kdenetwork-krdc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827009" version="601">
<red-def:name>kdenetwork-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827010" version="601">
<red-def:name>kdenetwork-kdnssd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827011" version="601">
<red-def:name>kdenetwork-kget</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827012" version="601">
<red-def:name>kdenetwork-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827013" version="601">
<red-def:name>kdenetwork-krdc-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827014" version="601">
<red-def:name>kdenetwork-kopete-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827015" version="601">
<red-def:name>kdenetwork-kopete</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827016" version="601">
<red-def:name>kdenetwork-krdc-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827017" version="601">
<red-def:name>kdenetwork-krfb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827018" version="601">
<red-def:name>kdenetwork-fileshare-samba</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141827019" version="601">
<red-def:name>kdenetwork-kopete-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141870005" version="601">
<red-def:name>libXfont</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141870006" version="601">
<red-def:name>libXfont-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912005" version="601">
<red-def:name>ruby</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912006" version="601">
<red-def:name>ruby-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912007" version="601">
<red-def:name>ruby-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912008" version="601">
<red-def:name>rubygem-json</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912009" version="601">
<red-def:name>rubygems-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912010" version="601">
<red-def:name>ruby-irb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912011" version="601">
<red-def:name>rubygem-minitest</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912012" version="601">
<red-def:name>rubygem-bigdecimal</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912013" version="601">
<red-def:name>rubygems</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912014" version="601">
<red-def:name>rubygem-rdoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912015" version="601">
<red-def:name>rubygem-io-console</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912016" version="601">
<red-def:name>ruby-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912017" version="601">
<red-def:name>ruby-tcltk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912018" version="601">
<red-def:name>rubygem-rake</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141912019" version="601">
<red-def:name>rubygem-psych</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141956005" version="601">
<red-def:name>wpa_supplicant</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976005" version="601">
<red-def:name>rpm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976006" version="601">
<red-def:name>rpm-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976007" version="601">
<red-def:name>rpm-cron</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976008" version="601">
<red-def:name>rpm-build</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976009" version="601">
<red-def:name>rpm-build-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976010" version="601">
<red-def:name>rpm-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976011" version="601">
<red-def:name>rpm-sign</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976012" version="601">
<red-def:name>rpm-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141976013" version="601">
<red-def:name>rpm-apidocs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983005" version="601">
<red-def:name>xorg-x11-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983006" version="601">
<red-def:name>xorg-x11-server-Xnest</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983007" version="601">
<red-def:name>xorg-x11-server-Xdmx</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983008" version="601">
<red-def:name>xorg-x11-server-source</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983009" version="601">
<red-def:name>xorg-x11-server-Xephyr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983010" version="601">
<red-def:name>xorg-x11-server-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983011" version="601">
<red-def:name>xorg-x11-server-Xvfb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983012" version="601">
<red-def:name>xorg-x11-server-Xorg</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141983013" version="601">
<red-def:name>xorg-x11-server-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984002" version="601">
<red-def:name>bind</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984003" version="601">
<red-def:name>bind-sdb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984004" version="601">
<red-def:name>bind-chroot</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984005" version="601">
<red-def:name>bind-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984006" version="601">
<red-def:name>bind-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984007" version="601">
<red-def:name>bind-libbind-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984008" version="601">
<red-def:name>bind-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984009" version="601">
<red-def:name>caching-nameserver</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984014" version="601">
<red-def:name>bind-license</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984015" version="601">
<red-def:name>bind-sdb-chroot</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984016" version="601">
<red-def:name>bind-lite-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141984017" version="601">
<red-def:name>bind-libs-lite</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20141999005" version="601">
<red-def:name>mailx</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142021005" version="601">
<red-def:name>jasper</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142021006" version="601">
<red-def:name>jasper-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142021007" version="601">
<red-def:name>jasper-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142021008" version="601">
<red-def:name>jasper-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142024005" version="601">
<red-def:name>ntp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142024006" version="601">
<red-def:name>sntp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142024007" version="601">
<red-def:name>ntp-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142024008" version="601">
<red-def:name>ntpdate</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20142024009" version="601">
<red-def:name>ntp-perl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150100005" version="601">
<red-def:name>libyaml</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150100006" version="601">
<red-def:name>libyaml-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166005" version="601">
<red-def:name>subversion</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166006" version="601">
<red-def:name>subversion-kde</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166007" version="601">
<red-def:name>subversion-ruby</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166008" version="601">
<red-def:name>subversion-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166009" version="601">
<red-def:name>subversion-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166010" version="601">
<red-def:name>mod_dav_svn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166011" version="601">
<red-def:name>subversion-gnome</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166012" version="601">
<red-def:name>subversion-javahl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166013" version="601">
<red-def:name>subversion-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166014" version="601">
<red-def:name>subversion-perl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150166015" version="601">
<red-def:name>subversion-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301005" version="601">
<red-def:name>hivex</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301006" version="601">
<red-def:name>ocaml-hivex</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301007" version="601">
<red-def:name>ruby-hivex</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301008" version="601">
<red-def:name>hivex-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301009" version="601">
<red-def:name>python-hivex</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301010" version="601">
<red-def:name>perl-hivex</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150301011" version="601">
<red-def:name>ocaml-hivex-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150330005" version="601">
<red-def:name>pcre</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150330006" version="601">
<red-def:name>pcre-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150330007" version="601">
<red-def:name>pcre-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150330008" version="601">
<red-def:name>pcre-static</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377005" version="601">
<red-def:name>mdds</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377006" version="601">
<red-def:name>mdds-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377007" version="601">
<red-def:name>libmwaw</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377008" version="601">
<red-def:name>libmwaw-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377009" version="601">
<red-def:name>libmwaw-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377010" version="601">
<red-def:name>libmwaw-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377011" version="601">
<red-def:name>libodfgen</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377012" version="601">
<red-def:name>libodfgen-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377013" version="601">
<red-def:name>libodfgen-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377014" version="601">
<red-def:name>libcmis</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377015" version="601">
<red-def:name>libcmis-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377016" version="601">
<red-def:name>libcmis-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377017" version="601">
<red-def:name>libabw</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377018" version="601">
<red-def:name>libabw-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377019" version="601">
<red-def:name>libabw-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377020" version="601">
<red-def:name>libabw-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377021" version="601">
<red-def:name>libfreehand</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377022" version="601">
<red-def:name>libfreehand-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377023" version="601">
<red-def:name>libfreehand-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377024" version="601">
<red-def:name>libfreehand-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377025" version="601">
<red-def:name>libetonyek</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377026" version="601">
<red-def:name>libetonyek-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377027" version="601">
<red-def:name>libetonyek-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377028" version="601">
<red-def:name>libetonyek-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377029" version="601">
<red-def:name>liblangtag</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377030" version="601">
<red-def:name>liblangtag-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377031" version="601">
<red-def:name>liblangtag-gobject</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377032" version="601">
<red-def:name>liblangtag-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377033" version="601">
<red-def:name>libreoffice</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377034" version="601">
<red-def:name>libreoffice-langpack-lt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377035" version="601">
<red-def:name>libreoffice-opensymbol-fonts</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377036" version="601">
<red-def:name>libreoffice-langpack-nn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377037" version="601">
<red-def:name>libreoffice-langpack-da</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377038" version="601">
<red-def:name>autocorr-is</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377039" version="601">
<red-def:name>libreoffice-langpack-nr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377040" version="601">
<red-def:name>libreoffice-langpack-zh-Hant</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377041" version="601">
<red-def:name>libreoffice-graphicfilter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377042" version="601">
<red-def:name>libreoffice-langpack-sl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377043" version="601">
<red-def:name>libreoffice-librelogo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377044" version="601">
<red-def:name>libreoffice-headless</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377045" version="601">
<red-def:name>autocorr-de</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377046" version="601">
<red-def:name>libreoffice-gdb-debug-support</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377047" version="601">
<red-def:name>libreoffice-langpack-uk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377048" version="601">
<red-def:name>autocorr-sr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377049" version="601">
<red-def:name>libreoffice-core</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377050" version="601">
<red-def:name>autocorr-es</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377051" version="601">
<red-def:name>libreoffice-langpack-ro</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377052" version="601">
<red-def:name>libreoffice-langpack-ar</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377053" version="601">
<red-def:name>libreoffice-langpack-eu</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377054" version="601">
<red-def:name>libreoffice-langpack-pt-BR</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377055" version="601">
<red-def:name>autocorr-pl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377056" version="601">
<red-def:name>libreoffice-postgresql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377057" version="601">
<red-def:name>libreoffice-langpack-ts</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377058" version="601">
<red-def:name>libreoffice-langpack-ta</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377059" version="601">
<red-def:name>libreoffice-sdk-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377060" version="601">
<red-def:name>libreoffice-langpack-he</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377061" version="601">
<red-def:name>libreoffice-langpack-nso</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377062" version="601">
<red-def:name>autocorr-af</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377063" version="601">
<red-def:name>autocorr-ga</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377064" version="601">
<red-def:name>libreoffice-langpack-pl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377065" version="601">
<red-def:name>autocorr-fi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377066" version="601">
<red-def:name>libreoffice-langpack-mai</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377067" version="601">
<red-def:name>autocorr-ca</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377068" version="601">
<red-def:name>autocorr-vi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377069" version="601">
<red-def:name>autocorr-da</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377070" version="601">
<red-def:name>autocorr-hr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377071" version="601">
<red-def:name>libreoffice-impress</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377072" version="601">
<red-def:name>libreoffice-langpack-tr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377073" version="601">
<red-def:name>libreoffice-langpack-ga</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377074" version="601">
<red-def:name>libreoffice-langpack-es</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377075" version="601">
<red-def:name>autocorr-pt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377076" version="601">
<red-def:name>libreoffice-langpack-te</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377077" version="601">
<red-def:name>libreoffice-langpack-lv</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377078" version="601">
<red-def:name>libreoffice-base</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377079" version="601">
<red-def:name>libreoffice-langpack-de</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377080" version="601">
<red-def:name>autocorr-fa</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377081" version="601">
<red-def:name>libreoffice-langpack-th</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377082" version="601">
<red-def:name>autocorr-mn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377083" version="601">
<red-def:name>libreoffice-nlpsolver</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377084" version="601">
<red-def:name>libreoffice-ure</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377085" version="601">
<red-def:name>libreoffice-langpack-fr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377086" version="601">
<red-def:name>autocorr-ru</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377087" version="601">
<red-def:name>libreoffice-langpack-ss</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377088" version="601">
<red-def:name>autocorr-sv</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377089" version="601">
<red-def:name>libreoffice-langpack-zh-Hans</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377090" version="601">
<red-def:name>libreoffice-langpack-ve</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377091" version="601">
<red-def:name>libreoffice-writer</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377092" version="601">
<red-def:name>autocorr-it</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377093" version="601">
<red-def:name>libreoffice-langpack-mr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377094" version="601">
<red-def:name>libreoffice-langpack-ja</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377095" version="601">
<red-def:name>libreoffice-langpack-pt-PT</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377096" version="601">
<red-def:name>libreoffice-langpack-sk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377097" version="601">
<red-def:name>libreoffice-langpack-cy</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377098" version="601">
<red-def:name>autocorr-tr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377099" version="601">
<red-def:name>autocorr-cs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377100" version="601">
<red-def:name>libreoffice-emailmerge</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377101" version="601">
<red-def:name>libreoffice-langpack-hr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377102" version="601">
<red-def:name>libreoffice-langpack-kk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377103" version="601">
<red-def:name>libreoffice-langpack-af</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377104" version="601">
<red-def:name>libreoffice-langpack-fa</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377105" version="601">
<red-def:name>libreoffice-langpack-pa</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377106" version="601">
<red-def:name>libreoffice-langpack-gu</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377107" version="601">
<red-def:name>libreoffice-langpack-nl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377108" version="601">
<red-def:name>libreoffice-langpack-or</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377109" version="601">
<red-def:name>libreoffice-langpack-ru</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377110" version="601">
<red-def:name>autocorr-sl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377111" version="601">
<red-def:name>libreoffice-langpack-si</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377112" version="601">
<red-def:name>libreoffice-langpack-fi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377113" version="601">
<red-def:name>libreoffice-langpack-ca</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377114" version="601">
<red-def:name>libreoffice-langpack-cs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377115" version="601">
<red-def:name>autocorr-sk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377116" version="601">
<red-def:name>libreoffice-langpack-it</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377117" version="601">
<red-def:name>libreoffice-rhino</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377118" version="601">
<red-def:name>libreoffice-langpack-hu</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377119" version="601">
<red-def:name>libreoffice-langpack-tn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377120" version="601">
<red-def:name>libreoffice-langpack-br</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377121" version="601">
<red-def:name>autocorr-zh</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377122" version="601">
<red-def:name>autocorr-nl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377123" version="601">
<red-def:name>libreoffice-langpack-st</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377124" version="601">
<red-def:name>libreoffice-sdk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377125" version="601">
<red-def:name>libreoffice-pyuno</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377126" version="601">
<red-def:name>libreoffice-langpack-ko</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377127" version="601">
<red-def:name>autocorr-hu</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377128" version="601">
<red-def:name>autocorr-en</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377129" version="601">
<red-def:name>libreoffice-math</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377130" version="601">
<red-def:name>libreoffice-langpack-en</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377131" version="601">
<red-def:name>autocorr-ja</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377132" version="601">
<red-def:name>libreoffice-langpack-gl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377133" version="601">
<red-def:name>libreoffice-glade</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377134" version="601">
<red-def:name>libreoffice-langpack-kn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377135" version="601">
<red-def:name>libreoffice-filters</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377136" version="601">
<red-def:name>libreoffice-langpack-as</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377137" version="601">
<red-def:name>libreoffice-langpack-bn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377138" version="601">
<red-def:name>autocorr-lb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377139" version="601">
<red-def:name>autocorr-fr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377140" version="601">
<red-def:name>libreoffice-draw</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377141" version="601">
<red-def:name>libreoffice-pdfimport</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377142" version="601">
<red-def:name>libreoffice-langpack-dz</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377143" version="601">
<red-def:name>libreoffice-langpack-sv</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377144" version="601">
<red-def:name>libreoffice-wiki-publisher</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377145" version="601">
<red-def:name>autocorr-lt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377146" version="601">
<red-def:name>libreoffice-langpack-hi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377147" version="601">
<red-def:name>libreoffice-ogltrans</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377148" version="601">
<red-def:name>libreoffice-langpack-bg</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377149" version="601">
<red-def:name>libreoffice-langpack-zu</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377150" version="601">
<red-def:name>libreoffice-langpack-et</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377151" version="601">
<red-def:name>libreoffice-calc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377152" version="601">
<red-def:name>libreoffice-langpack-xh</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377153" version="601">
<red-def:name>libreoffice-langpack-sr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377154" version="601">
<red-def:name>libreoffice-langpack-ml</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377155" version="601">
<red-def:name>libreoffice-xsltfilter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377156" version="601">
<red-def:name>libreoffice-langpack-nb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377157" version="601">
<red-def:name>autocorr-ko</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377158" version="601">
<red-def:name>libreoffice-langpack-el</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377159" version="601">
<red-def:name>autocorr-bg</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377160" version="601">
<red-def:name>libreoffice-bsh</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150377161" version="601">
<red-def:name>autocorr-ro</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150383005" version="601">
<red-def:name>ppc64-diag</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150384005" version="601">
<red-def:name>powerpc-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425005" version="603">
<red-def:name>openssh</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425006" version="603">
<red-def:name>openssh-ldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425007" version="603">
<red-def:name>openssh-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425008" version="603">
<red-def:name>openssh-keycat</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425009" version="603">
<red-def:name>openssh-askpass</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425010" version="603">
<red-def:name>openssh-server-sysvinit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425011" version="603">
<red-def:name>openssh-clients</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150425012" version="603">
<red-def:name>pam_ssh_agent_auth</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150430005" version="601">
<red-def:name>virt-who</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439005" version="601">
<red-def:name>krb5</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439006" version="601">
<red-def:name>krb5-pkinit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439007" version="601">
<red-def:name>krb5-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439008" version="601">
<red-def:name>krb5-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439009" version="601">
<red-def:name>krb5-workstation</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439010" version="601">
<red-def:name>krb5-server-ldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150439011" version="601">
<red-def:name>krb5-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150442005" version="601">
<red-def:name>ipa</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150442006" version="601">
<red-def:name>ipa-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150442007" version="601">
<red-def:name>ipa-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150442008" version="601">
<red-def:name>ipa-admintools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150442009" version="601">
<red-def:name>ipa-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150442010" version="601">
<red-def:name>ipa-server-trust-ad</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535005" version="601">
<red-def:name>cogl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535006" version="601">
<red-def:name>cogl-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535007" version="601">
<red-def:name>cogl-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535008" version="601">
<red-def:name>clutter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535009" version="601">
<red-def:name>clutter-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535010" version="601">
<red-def:name>clutter-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535011" version="601">
<red-def:name>gnome-shell</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535012" version="601">
<red-def:name>gnome-shell-browser-plugin</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535013" version="601">
<red-def:name>mutter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150535014" version="601">
<red-def:name>mutter-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150642005" version="601">
<red-def:name>thunderbird</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150696005" version="601">
<red-def:name>freetype</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150696006" version="601">
<red-def:name>freetype-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150696007" version="601">
<red-def:name>freetype-demos</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150700005" version="601">
<red-def:name>unzip</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727005" version="601">
<red-def:name>kernel-rt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727006" version="601">
<red-def:name>kernel-rt-trace</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727007" version="601">
<red-def:name>kernel-rt-trace-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727008" version="601">
<red-def:name>kernel-rt-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727009" version="601">
<red-def:name>kernel-rt-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727010" version="601">
<red-def:name>kernel-rt-debug-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727011" version="601">
<red-def:name>kernel-rt-virt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727012" version="601">
<red-def:name>kernel-rt-virt-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150727013" version="601">
<red-def:name>kernel-rt-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150728005" version="601">
<red-def:name>slapi-nis</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150729002" version="601">
<red-def:name>setroubleshoot</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150729003" version="601">
<red-def:name>setroubleshoot-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150729008" version="601">
<red-def:name>setroubleshoot-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750005" version="601">
<red-def:name>postgresql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750006" version="601">
<red-def:name>postgresql-plpython</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750007" version="601">
<red-def:name>postgresql-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750008" version="601">
<red-def:name>postgresql-plperl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750009" version="601">
<red-def:name>postgresql-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750010" version="601">
<red-def:name>postgresql-docs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750011" version="601">
<red-def:name>postgresql-contrib</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750012" version="601">
<red-def:name>postgresql-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750013" version="601">
<red-def:name>postgresql-pltcl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750014" version="601">
<red-def:name>postgresql-test</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150750015" version="601">
<red-def:name>postgresql-upgrade</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150767005" version="601">
<red-def:name>flac</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150767006" version="601">
<red-def:name>flac-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150767007" version="601">
<red-def:name>flac-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809005" version="601">
<red-def:name>java-1.8.0-openjdk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809006" version="601">
<red-def:name>java-1.8.0-openjdk-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809007" version="601">
<red-def:name>java-1.8.0-openjdk-demo</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809008" version="601">
<red-def:name>java-1.8.0-openjdk-headless</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809009" version="601">
<red-def:name>java-1.8.0-openjdk-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809010" version="601">
<red-def:name>java-1.8.0-openjdk-src</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150809011" version="601">
<red-def:name>java-1.8.0-openjdk-accessibility</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150980005" version="602">
<red-def:name>pcs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150980006" version="602">
<red-def:name>python-clufter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150986005" version="602">
<red-def:name>kexec-tools-anaconda-addon</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150986006" version="602">
<red-def:name>kexec-tools-eppic</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20150986007" version="602">
<red-def:name>kexec-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083005" version="601">
<red-def:name>abrt-addon-kerneloops</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083006" version="601">
<red-def:name>abrt-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083007" version="601">
<red-def:name>abrt-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083008" version="601">
<red-def:name>abrt-console-notification</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083009" version="601">
<red-def:name>abrt-gui-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083010" version="601">
<red-def:name>abrt-addon-xorg</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083011" version="601">
<red-def:name>abrt-addon-vmcore</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083012" version="601">
<red-def:name>abrt-gui</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083013" version="601">
<red-def:name>abrt-addon-pstoreoops</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083014" version="601">
<red-def:name>abrt-desktop</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083015" version="601">
<red-def:name>abrt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083016" version="601">
<red-def:name>abrt-gui-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083017" version="601">
<red-def:name>abrt-addon-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083018" version="601">
<red-def:name>abrt-cli</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083019" version="601">
<red-def:name>abrt-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083020" version="601">
<red-def:name>abrt-retrace-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083021" version="601">
<red-def:name>abrt-dbus</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083022" version="601">
<red-def:name>abrt-tui</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083023" version="601">
<red-def:name>abrt-addon-ccpp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083024" version="601">
<red-def:name>abrt-addon-upload-watch</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083025" version="601">
<red-def:name>abrt-python-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083026" version="601">
<red-def:name>libreport-plugin-ureport</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083027" version="601">
<red-def:name>libreport-rhel-anaconda-bugzilla</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083028" version="601">
<red-def:name>libreport-rhel-bugzilla</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083029" version="601">
<red-def:name>libreport-gtk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083030" version="601">
<red-def:name>libreport-plugin-logger</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083031" version="601">
<red-def:name>libreport-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083032" version="601">
<red-def:name>libreport-plugin-mailx</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083033" version="601">
<red-def:name>libreport-plugin-reportuploader</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083034" version="601">
<red-def:name>libreport-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083035" version="601">
<red-def:name>libreport-newt</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083036" version="601">
<red-def:name>libreport</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083037" version="601">
<red-def:name>libreport-plugin-bugzilla</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083038" version="601">
<red-def:name>libreport-filesystem</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083039" version="601">
<red-def:name>libreport-cli</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083040" version="601">
<red-def:name>libreport-gtk-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083041" version="601">
<red-def:name>libreport-plugin-kerneloops</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083042" version="601">
<red-def:name>libreport-plugin-rhtsupport</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083043" version="601">
<red-def:name>libreport-web</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083044" version="601">
<red-def:name>libreport-web-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083045" version="601">
<red-def:name>libreport-compat</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083046" version="601">
<red-def:name>libreport-anaconda</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151083047" version="601">
<red-def:name>libreport-rhel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123005" version="601">
<red-def:name>cups-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123006" version="601">
<red-def:name>cups-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123007" version="601">
<red-def:name>cups</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123008" version="601">
<red-def:name>cups-php</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123009" version="601">
<red-def:name>cups-lpd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123010" version="601">
<red-def:name>cups-ipptool</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123011" version="601">
<red-def:name>cups-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151123012" version="601">
<red-def:name>cups-filesystem</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151153005" version="601">
<red-def:name>mailman</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151154005" version="602">
<red-def:name>libreswan</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151193005" version="601">
<red-def:name>xerces-c</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151193006" version="601">
<red-def:name>xerces-c-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151193007" version="601">
<red-def:name>xerces-c-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151483005" version="601">
<red-def:name>libuser-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151483006" version="601">
<red-def:name>libuser-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151483007" version="601">
<red-def:name>libuser</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151635005" version="601">
<red-def:name>lemon</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151635006" version="601">
<red-def:name>sqlite</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151635007" version="601">
<red-def:name>sqlite-tcl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151635008" version="601">
<red-def:name>sqlite-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151635009" version="601">
<red-def:name>sqlite-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636005" version="601">
<red-def:name>net-snmp-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636006" version="601">
<red-def:name>net-snmp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636007" version="601">
<red-def:name>net-snmp-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636008" version="601">
<red-def:name>net-snmp-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636009" version="601">
<red-def:name>net-snmp-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636010" version="601">
<red-def:name>net-snmp-perl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636011" version="601">
<red-def:name>net-snmp-sysvinit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636012" version="601">
<red-def:name>net-snmp-agent-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151636013" version="601">
<red-def:name>net-snmp-gui</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151640005" version="601">
<red-def:name>pam</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151640006" version="601">
<red-def:name>pam-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151694005" version="601">
<red-def:name>gdk-pixbuf2</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151694006" version="601">
<red-def:name>gdk-pixbuf2-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151695005" version="601">
<red-def:name>jakarta-taglibs-standard-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151695006" version="601">
<red-def:name>jakarta-taglibs-standard</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151714005" version="601">
<red-def:name>spice-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151714006" version="601">
<red-def:name>spice-server-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151714007" version="601">
<red-def:name>spice</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840002" version="601">
<red-def:name>openldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840003" version="601">
<red-def:name>openldap-servers</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840004" version="601">
<red-def:name>openldap-servers-overlays</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840005" version="601">
<red-def:name>openldap-clients</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840006" version="601">
<red-def:name>openldap-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840007" version="601">
<red-def:name>compat-openldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151840008" version="601">
<red-def:name>openldap-servers-sql</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151917005" version="601">
<red-def:name>libwmf</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151917006" version="601">
<red-def:name>libwmf-lite</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151917007" version="601">
<red-def:name>libwmf-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151919005" version="601">
<red-def:name>java-1.8.0-openjdk-headless-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151919008" version="601">
<red-def:name>java-1.8.0-openjdk-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151919010" version="601">
<red-def:name>java-1.8.0-openjdk-devel-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151919011" version="601">
<red-def:name>java-1.8.0-openjdk-demo-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151919013" version="601">
<red-def:name>java-1.8.0-openjdk-src-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20151919016" version="601">
<red-def:name>java-1.8.0-openjdk-javadoc-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152079005" version="601">
<red-def:name>binutils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152079006" version="601">
<red-def:name>binutils-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101005" version="601">
<red-def:name>python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101006" version="601">
<red-def:name>python-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101007" version="601">
<red-def:name>python-test</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101008" version="601">
<red-def:name>tkinter</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101009" version="601">
<red-def:name>python-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101010" version="601">
<red-def:name>python-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152101011" version="601">
<red-def:name>python-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152108005" version="601">
<red-def:name>cpio</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152111005" version="601">
<red-def:name>grep</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152140005" version="601">
<red-def:name>libssh2</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152140006" version="601">
<red-def:name>libssh2-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152140007" version="601">
<red-def:name>libssh2-docs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152151005" version="601">
<red-def:name>xfsprogs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152151006" version="601">
<red-def:name>xfsprogs-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152151007" version="601">
<red-def:name>xfsprogs-qa-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152155005" version="601">
<red-def:name>file-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152155006" version="601">
<red-def:name>file-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152155007" version="601">
<red-def:name>file-static</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152155008" version="601">
<red-def:name>file</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152155009" version="601">
<red-def:name>python-magic</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152159005" version="601">
<red-def:name>libcurl-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152159006" version="601">
<red-def:name>libcurl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152159007" version="601">
<red-def:name>curl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152180005" version="601">
<red-def:name>rubygem-thor</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152180006" version="601">
<red-def:name>rubygem-thor-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152180007" version="601">
<red-def:name>rubygem-bundler</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152180008" version="601">
<red-def:name>rubygem-bundler-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152184005" version="601">
<red-def:name>realmd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152184006" version="601">
<red-def:name>realmd-devel-docs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233005" version="601">
<red-def:name>tigervnc-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233006" version="601">
<red-def:name>tigervnc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233007" version="601">
<red-def:name>tigervnc-server-minimal</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233008" version="601">
<red-def:name>tigervnc-server-module</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233009" version="601">
<red-def:name>tigervnc-icons</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233010" version="601">
<red-def:name>tigervnc-license</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152233011" version="601">
<red-def:name>tigervnc-server-applet</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152237005" version="601">
<red-def:name>rest-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152237006" version="601">
<red-def:name>rest</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152241005" version="601">
<red-def:name>chrony</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152248005" version="601">
<red-def:name>netcf</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152248006" version="601">
<red-def:name>netcf-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152248007" version="601">
<red-def:name>netcf-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315005" version="601">
<red-def:name>ModemManager-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315006" version="601">
<red-def:name>ModemManager-glib</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315007" version="601">
<red-def:name>ModemManager</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315008" version="601">
<red-def:name>ModemManager-vala</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315009" version="601">
<red-def:name>ModemManager-glib-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315010" version="601">
<red-def:name>nm-connection-editor</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315011" version="601">
<red-def:name>libnm-gtk-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315012" version="601">
<red-def:name>libnm-gtk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315013" version="601">
<red-def:name>network-manager-applet</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315014" version="601">
<red-def:name>NetworkManager-libreswan-gnome</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315015" version="601">
<red-def:name>NetworkManager-libreswan</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315016" version="601">
<red-def:name>NetworkManager-libnm-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315017" version="601">
<red-def:name>NetworkManager-adsl</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315018" version="601">
<red-def:name>NetworkManager-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315019" version="601">
<red-def:name>NetworkManager-wwan</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315020" version="601">
<red-def:name>NetworkManager</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315021" version="601">
<red-def:name>NetworkManager-glib-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315022" version="601">
<red-def:name>NetworkManager-libnm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315023" version="601">
<red-def:name>NetworkManager-wifi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315024" version="601">
<red-def:name>NetworkManager-tui</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315025" version="601">
<red-def:name>NetworkManager-team</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315026" version="601">
<red-def:name>NetworkManager-config-server</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315027" version="601">
<red-def:name>NetworkManager-glib</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315028" version="601">
<red-def:name>NetworkManager-bluetooth</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152315029" version="601">
<red-def:name>NetworkManager-config-routing-rules</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355005" version="601">
<red-def:name>libipa_hbac</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355006" version="601">
<red-def:name>sssd-ad</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355007" version="601">
<red-def:name>sssd-krb5</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355008" version="601">
<red-def:name>libsss_simpleifp-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355009" version="601">
<red-def:name>sssd-krb5-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355010" version="601">
<red-def:name>sssd-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355011" version="601">
<red-def:name>libsss_nss_idmap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355012" version="601">
<red-def:name>sssd-ldap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355013" version="601">
<red-def:name>libsss_simpleifp</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355014" version="601">
<red-def:name>sssd-libwbclient</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355015" version="601">
<red-def:name>sssd-ipa</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355016" version="601">
<red-def:name>sssd-dbus</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355017" version="601">
<red-def:name>python-libsss_nss_idmap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355018" version="601">
<red-def:name>sssd-libwbclient-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355019" version="601">
<red-def:name>python-sss</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355020" version="601">
<red-def:name>sssd-proxy</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355021" version="601">
<red-def:name>sssd-common-pac</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355022" version="601">
<red-def:name>libsss_nss_idmap-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355023" version="601">
<red-def:name>sssd-common</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355024" version="601">
<red-def:name>python-libipa_hbac</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355025" version="601">
<red-def:name>libsss_idmap-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355026" version="601">
<red-def:name>libipa_hbac-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355027" version="601">
<red-def:name>libsss_idmap</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355028" version="601">
<red-def:name>sssd</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355029" version="601">
<red-def:name>python-sss-murmur</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355030" version="601">
<red-def:name>sssd-client</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152355031" version="601">
<red-def:name>python-sssdconfig</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152369005" version="601">
<red-def:name>openhpi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152369006" version="601">
<red-def:name>openhpi-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152369007" version="601">
<red-def:name>openhpi-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383005" version="601">
<red-def:name>pacemaker-cluster-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383006" version="601">
<red-def:name>pacemaker-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383007" version="601">
<red-def:name>pacemaker-nagios-plugins-metadata</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383008" version="601">
<red-def:name>pacemaker-cts</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383009" version="601">
<red-def:name>pacemaker</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383010" version="601">
<red-def:name>pacemaker-libs-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383011" version="601">
<red-def:name>pacemaker-cli</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383012" version="601">
<red-def:name>pacemaker-doc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152383013" version="601">
<red-def:name>pacemaker-remote</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152401005" version="601">
<red-def:name>grub2</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152401006" version="601">
<red-def:name>grub2-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152401007" version="601">
<red-def:name>grub2-efi-modules</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152401008" version="601">
<red-def:name>grub2-efi</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152411006" version="601">
<red-def:name>kernel-rt-debug-kvm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152411009" version="601">
<red-def:name>kernel-rt-trace-kvm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152411014" version="601">
<red-def:name>kernel-rt-kvm</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152417005" version="601">
<red-def:name>autofs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152455005" version="601">
<red-def:name>unbound-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152455006" version="601">
<red-def:name>unbound</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152455007" version="601">
<red-def:name>unbound-python</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152455008" version="601">
<red-def:name>unbound-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152522005" version="601">
<red-def:name>apache-commons-collections-testframework</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152522006" version="601">
<red-def:name>apache-commons-collections</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152522007" version="601">
<red-def:name>apache-commons-collections-testframework-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152522008" version="601">
<red-def:name>apache-commons-collections-javadoc</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561005" version="602">
<red-def:name>git</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561006" version="602">
<red-def:name>git-daemon</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561007" version="602">
<red-def:name>git-svn</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561008" version="602">
<red-def:name>git-all</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561009" version="602">
<red-def:name>git-cvs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561010" version="602">
<red-def:name>git-email</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561011" version="602">
<red-def:name>perl-Git-SVN</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561012" version="602">
<red-def:name>git-bzr</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561013" version="602">
<red-def:name>git-gui</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561014" version="602">
<red-def:name>gitweb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561015" version="602">
<red-def:name>git-hg</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561016" version="602">
<red-def:name>emacs-git</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561017" version="602">
<red-def:name>gitk</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561018" version="602">
<red-def:name>emacs-git-el</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561019" version="602">
<red-def:name>perl-Git</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152561020" version="602">
<red-def:name>git-p4</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152595005" version="601">
<red-def:name>libpng12-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152595006" version="601">
<red-def:name>libpng12</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152596005" version="601">
<red-def:name>libpng-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152596006" version="601">
<red-def:name>libpng-static</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152596007" version="601">
<red-def:name>libpng</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152619028" version="601">
<red-def:name>libreoffice-langpack-ms</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152619081" version="601">
<red-def:name>libreoffice-langpack-ur</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152619132" version="601">
<red-def:name>libreoffice-officebean</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152655011" version="601">
<red-def:name>bind-pkcs11-utils</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152655013" version="601">
<red-def:name>bind-pkcs11-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152655014" version="601">
<red-def:name>bind-pkcs11-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20152655015" version="601">
<red-def:name>bind-pkcs11</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160005005" version="601">
<red-def:name>rpcbind</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006008" version="602">
<red-def:name>samba-common-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006009" version="602">
<red-def:name>ctdb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006010" version="602">
<red-def:name>samba-common-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006016" version="602">
<red-def:name>samba-test-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006020" version="602">
<red-def:name>ctdb-tests</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006024" version="602">
<red-def:name>samba-client-libs</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160006025" version="602">
<red-def:name>ctdb-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160009005" version="601">
<red-def:name>pyldb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160009006" version="601">
<red-def:name>ldb-tools</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160009007" version="601">
<red-def:name>libldb</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160009008" version="601">
<red-def:name>pyldb-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160009009" version="601">
<red-def:name>libldb-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160012008" version="601">
<red-def:name>gnutls-guile</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160049010" version="601">
<red-def:name>java-1.8.0-openjdk-accessibility-debug</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160188005" version="601">
<red-def:name>sos</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160189005" version="601">
<red-def:name>polkit</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160189006" version="601">
<red-def:name>polkit-devel</red-def:name>
</red-def:rpminfo_object>
<red-def:rpminfo_object id="oval:com.redhat.rhsa:obj:20160189007" version="601">
<red-def:name>polkit-docs</red-def:name>
</red-def:rpminfo_object>
</objects>
<states>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140675001" version="601">
<red-def:signature_keyid operation="equals">199e2f91fd431d51</red-def:signature_keyid>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140675002" version="601">
<red-def:version operation="pattern match">^7[^\d]</red-def:version>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140675003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.55-2.4.7.2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140678003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.1.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140679003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-34.el7_0.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140680003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.8e-29.el7_0.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140684003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.1.18-9.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140685003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.0-6.1.13.3.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140686003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:7.0.42-5.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140687003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.3-5.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140702003" version="602">
<red-def:evr datatype="evr_string" operation="less than">1:5.5.37-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140703003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.11-4.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140704003" version="601">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-60.el7_0.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140741002" version="601">
<red-def:signature_keyid operation="equals">5326810137017186</red-def:signature_keyid>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140741003" version="601">
<red-def:version operation="pattern match">^5[^\d]</red-def:version>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140741004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.6.0-1.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140741005" version="601">
<red-def:version operation="pattern match">^6[^\d]</red-def:version>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140741006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.6.0-1.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140741008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.6.0-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140786003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.4.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140790003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.0.9-7.el6_5.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140790005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.2.10-4.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140827003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:7.0.42-6.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140861003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.03-3.1.el6_5.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140861005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.06-6.el7_0.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140867003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.1-35.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140889003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.65-2.5.1.2.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140889005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.65-2.5.1.2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140907004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.0-6.1.13.4.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140907006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.0-6.1.13.4.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140907008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.0-6.1.13.4.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140914003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.1-29.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140916004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.15.3-7.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140916005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.10.6-1.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140916007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.15.4-7.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140916008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.10.6-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140919004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.7.0-1.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140919006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.7.0-1.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140919008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.7.0-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140921003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.6-18.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140921004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.4.6-18.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140923003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.4.4.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20140927003" version="602">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-60.el7_0.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141008003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.1-37.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141011003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:2.3.5-3.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141013003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:5.4.16-23.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141023003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.6.3.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141031003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.2.11.15-34.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141031005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.1.6-26.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141034003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:7.0.42-8.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141052003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-16.el6_5.15</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141052005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-34.el7_0.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141073003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141073005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2-2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141091003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.4-12.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141110004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.5-118.el5_10.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141110006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.12-1.132.el6_5.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141110008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-55.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141144004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.8.0-2.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141144006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.8.0-1.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141144008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:24.8.0-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141146003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.5-5.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141147003" version="601">
<red-def:evr datatype="evr_string" operation="less than">7:3.3.8-12.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141166004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:3.0-7jpp.4.el5_10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141166006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:3.1-0.9.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141166008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:3.1-16.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141172004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.22-17.1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141172006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.22-25.1.el6_5.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141172008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.22-34.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141281003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.8.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141292003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.5.2-3.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141293004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.2-15.el6_5.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141293006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.2-33.el5.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141293008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.45-5.el7_0.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141306004" version="604">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.2-15.el6_5.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141306006" version="604">
<red-def:evr datatype="evr_string" operation="less than">0:3.2-33.el5_11.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141306008" version="604">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.45-5.el7_0.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141307004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.1-2.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141307005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.1-7.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141307006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.14.3-12.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141307008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.1-4.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141307012" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2-7.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141319003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.7.1-12.7.el6_5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141319005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.11.0-17.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141327003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:5.4.16-23.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141352003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.1-29.el7_0.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141359003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.103.0-10.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141397003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:7.4.7-7.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141620003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.71-2.5.3.1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141620005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.71-2.5.3.1.el6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141634004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.33-1.13.5.0.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141634006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.33-1.13.5.0.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141634008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.33-1.13.5.0.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141635004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.2.0-3.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141635006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.2.0-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141635007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.2.0-3.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141635009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.2.0-3.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141652003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-34.el7_0.6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141652005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-30.el6_6.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141655003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.9.1-5.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141655005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.7.6-17.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141669003" version="602">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-60.el7_0.10</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141676003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.10.3-12.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141676005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.8.10-8.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141724003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.9.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141764003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.14-10.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141764005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.12-5.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141767003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:5.4.16-23.el7_0.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141767005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:5.3.3-40.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141795003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.35-15.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141801003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.7-8.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141826003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.9-9.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141826005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.7-7.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141827003" version="601">
<red-def:evr datatype="evr_string" operation="less than">7:4.10.5-8.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141846003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.1.18-10.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141861003" version="602">
<red-def:evr datatype="evr_string" operation="less than">1:5.5.40-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141870003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.4.7-2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141870005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.4.5-4.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.0.0.353-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.7.7-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.0.14-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.3.2-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.2.0-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.0.0-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.4.2-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912010" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.6-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141912011" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.0.0-22.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141919004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.3.0-4.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141919006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.3.0-3.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141919008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.3.0-3.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141948004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2.3-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141948006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2.3-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141948008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2.3-2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141948010" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2.3-3.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141948011" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2.3-2.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141956003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.0-13.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141971003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.13.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141976003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.11.1-18.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141983003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.15.0-7.el7_0.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141983005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.15.0-25.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141984004" version="601">
<red-def:evr datatype="evr_string" operation="less than">30:9.3.6-25.P1.el5_11.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141984006" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-14.el7_0.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141984008" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.8.2-0.30.rc1.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141999003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:12.5-12.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20141999005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:12.4-8.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20142010003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.13.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20142021003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.900.1-26.el7_0.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20142021005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.900.1-16.el6_6.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20142023003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-55.el7_0.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20142024003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-19.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20142024005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-2.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150008003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.1-29.el7_0.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150046004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.4.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150046006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.4.0-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150046009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.4.0-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150066003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-34.el7_0.7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150066005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-30.el6_6.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150067003" version="604">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.75-2.5.4.2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150067005" version="604">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.75-2.5.4.0.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150074003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.900.1-26.el7_0.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150074005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.900.1-16.el6_6.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150085004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.34-1.13.6.1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150085006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.34-1.13.6.1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150085008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.34-1.13.6.1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150092003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-55.el7_0.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150092005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.12-1.149.el6_6.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150100003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.1.4-11.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150100005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.1.3-4.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150102003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-123.20.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150118003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:5.5.41-2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150166003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.7.14-7.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150252003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.1-38.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150265004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150265006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.0-2.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150265007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.0-1.el7_0</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150265009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.0-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150290003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150301003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.10-5.7.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150323003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.2.8-16.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150325003" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.6-31.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150325004" version="603">
<red-def:evr datatype="evr_string" operation="less than">1:2.4.6-31.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150327003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-78.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150330003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:8.32-14.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150349003" version="601">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-86.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.10.3-1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.2.0-4.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.0.4-1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.4.1-5.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.0.2-1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.0.0-3.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.0.4-2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377010" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.5.4-8.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150377011" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:4.2.6.3-5.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150383003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.6.7-6.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150384003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.2.24-7.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150416003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.3.1-13.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150425003" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:6.6.1p1-11.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150425004" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.3-9.11.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150430003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.11-5.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150439003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.12.2-14.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150442003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.0-18.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150535003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.14.0-6.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150535004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.14.4-12.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150535005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.8.4-45.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150535006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.8.4-16.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150642003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.0-2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150672003" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.8.2-0.30.rc1.el6_6.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150672005" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-18.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150696003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.3.11-15.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150696005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.11-10.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150700003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:6.0-2.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150700005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:6.0-15.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150716003" version="602">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-42.el7_1.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150718004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.3-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150718006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.3-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150718008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.5.3-3.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150726003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.1.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150727003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.1.2.rt56.141.2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150728003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.54-3.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150728004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.1.0-18.el7_1.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150729004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.0.5-7.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150729006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.0.47-6.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150729008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.2.17-4.1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150749003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.9.1-5.el7_1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150750003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:8.4.20-2.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150750005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:9.2.10-2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150766004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.6.0-2.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150766006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.6.0-2.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150766008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.6.0-2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150767003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.2.1-7.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150767005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.0-5.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150771004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.6.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150771006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.6.0-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150771008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.6.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150797003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.15.0-26.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150797005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.15.0-33.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150806003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.79-2.5.5.1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150806005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.79-2.5.5.1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150808004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.35-1.13.7.1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150808006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.35-1.13.7.1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150808008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.35-1.13.7.1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150809003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.45-28.b13.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150809005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.45-30.b13.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150895003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.3.1-16.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150980003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.137-13.el7_1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150981003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.4.2.rt56.141.6.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150983003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:7.0.54-2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150986003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:2.0.7-19.el7_1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150987003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.4.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150988004" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:38.0-4.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150988006" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:38.0-4.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150988008" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:38.0-3.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20150999003" version="601">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-86.el7_1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151012004" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:31.7.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151012006" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:31.7.0-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151012008" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:31.7.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151072003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-30.el6_6.9</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151072005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-42.el7_1.6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151083003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.1.11-22.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151083004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.1.11-23.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151090003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.0-17.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151115003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-30.el6_6.11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151115005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-42.el7_1.8</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151123003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.4.2-67.el6_6.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151123005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.3-17.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151135003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:5.4.16-36.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151137003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.7.2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151139003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.7.2.rt56.141.6.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151153003" version="601">
<red-def:evr datatype="evr_string" operation="less than">3:2.1.15-21.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151154003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.12-10.1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151185003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151185004" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-3.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151185006" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151185007" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-3.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151193003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.1.1-7.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151194003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:8.4.20-3.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151194005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:9.2.13-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151207004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.1.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151207006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.1.0-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151207008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.1.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151228003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.51-0.b16.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151228005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.51-1.b16.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151229003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.85-2.6.1.3.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151229005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.85-2.6.1.2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151443003" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-18.el7_1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151455004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.8.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151455006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.8.0-1.el6_6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151455008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:31.8.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151483003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.60-7.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151507003" version="601">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-86.el7_1.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151510003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.14.4-12.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151513003" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.8.2-0.37.rc1.el6_7.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151513005" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-18.el7_1.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151526004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.36-1.13.8.1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151526006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.36-1.13.8.1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151526008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.36-1.13.8.1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151534003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.11.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151565003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.11.1.rt56.141.11.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151581004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.1.1-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151581006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.1.1-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151581008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.1.1-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151586004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.0-4.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151586006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.0-4.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151586008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.0-4.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151635003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.7.17-6.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151636003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:5.5-54.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151636005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:5.7.2-20.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151640003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.1-20.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151640005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.8-12.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151665003" version="602">
<red-def:evr datatype="evr_string" operation="less than">1:5.5.44-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151667003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.6-31.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151667004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.4.6-31.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151682008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151693004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.1-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151693006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.1-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151693008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.2.1-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151694003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.24.1-6.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151694005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.28.2-5.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151695003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.1-11.7.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151695005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.2-14.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151699003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.14.3-23.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151699005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.16.2.3-13.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151700003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.139-9.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151700005" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.137-13.el7_1.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151705003" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.8.2-0.37.rc1.el6_7.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151705005" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-18.el7_1.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151708003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.4.5-5.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151708005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.4.7-3.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151714003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.12.4-9.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151741003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.5.4-2.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151741005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.5.4-4.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151742003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.7.14-7.el7_1.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151778003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.14.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151788003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.14.1.rt56.141.13.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151793003" version="601">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-86.el7_1.6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151834004" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:38.3.0-2.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151834006" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:38.3.0-2.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151834008" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:38.3.0-2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151840004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.3.43-29.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151840005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.3.43_2.2.29-29.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151840007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.40-6.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151840009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.39-7.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151852004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.3.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151852006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.3.0-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151852008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.3.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151890003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.12.4-9.el7_1.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151917003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.2.8.4-25.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151917005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.2.8.4-41.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151919003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.65-0.b17.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151919005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.65-2.b17.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151920003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.91-2.6.2.2.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151920005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.91-2.6.2.1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151930003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-5.el6_7.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151930005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-19.el7_1.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151943003" version="601">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-86.el7_1.8</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151977003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.20.1.rt56.141.14.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151978003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-229.20.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151979003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.15-5.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151981003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-5.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151981004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.10.8-2.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151981005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-2.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151981007" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.10.8-2.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151981008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-7.el7_1.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151981009" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-4.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151982004" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:38.4.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151982006" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:38.4.0-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20151982008" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:38.4.0-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152078003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:9.2.14-1.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152079003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.23.52.0.1-55.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152086004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.37-1.13.9.4.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152086006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.37-1.13.9.4.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152086008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.37-1.13.9.4.el7_1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152088003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:6.6.1p1-22.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152088004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.3-9.22.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152101003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.7.5-34.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152108003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.11-24.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152111003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.20-2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152131003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.4.40-8.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152140003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.4.3-10.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152151003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.2.2-2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152152003" version="603">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152154003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.13.2-10.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152155003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:5.11-31.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152159003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:7.29.0-25.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152172003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-106.el7_2.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152180003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.19.1-1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152180004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.7.8-3.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152184003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.16.1-5.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152199003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-105.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152231003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-22.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152233003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.1-3.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152237003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.7.92-3.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152241003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.1.1-1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152248003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.2.8-1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152290003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.143-15.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152315003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.0-8.git20130913.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152315004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.6-2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152315005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.6-3.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152315006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.6-27.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152345003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:5.7.2-24.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152355003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.13.0-40.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152360003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.35-21.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152369003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.4.0-2.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152378003" version="601">
<red-def:evr datatype="evr_string" operation="less than">7:3.3.8-26.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152383003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.13-10.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152393003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.10.14-7.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152401003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:2.02-0.29.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152411003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.rt56.204.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152417003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:5.0.7-54.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152455003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.4.20-26.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152505003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.1.11-35.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152505004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.1.11-31.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152519008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.4.0-1.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152522003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.2.1-22.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152550003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:2.9.1-6.el7_2.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152552003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.3.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152561003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:1.8.3.1-6.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152595003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.2.50-7.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152596003" version="601">
<red-def:evr datatype="evr_string" operation="less than">2:1.5.13-7.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152617003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-42.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152617005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-51.el7_2.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152619003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:4.2.8.2-11.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152619005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:4.3.7.2-5.el7_2.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152623003" version="603">
<red-def:evr datatype="evr_string" operation="less than">1:2.02-0.33.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152655003" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.8.2-0.37.rc1.el6_7.5</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152655005" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-29.el7_2.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152657004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.5.0-2.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152657006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.5.0-2.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20152657008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.5.0-3.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160001004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.5.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160001006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.5.0-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160001008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.5.0-1.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160005003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.2.0-11.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160005005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.2.0-33.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160006003" version="602">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.3-11.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160007003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-8.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160007005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.19.1-19.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160008003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-42.el6_7.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160008005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-51.el7_2.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160009003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.13-3.el6_7.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160009005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.1.20-1.el7_2.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160012003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.8.5-19.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160012005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.3.8-14.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160043003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:6.6.1p1-23.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160043004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.9.3-9.23.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160049003" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.8.0.71-2.b15.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160054004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.95-2.6.4.1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160054006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.7.0.95-2.6.4.0.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160063003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-5.el6_7.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160063005" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:4.2.6p5-22.el7_2.1</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160064003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.4.5.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160065003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.4.5.rt56.206.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160067004" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.38-1.13.10.0.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160067006" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.38-1.13.10.0.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160067008" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.6.0.38-1.13.10.0.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160071004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.6.0-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160071006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.6.0-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160071008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.6.0-1.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160073004" version="601">
<red-def:evr datatype="evr_string" operation="less than">30:9.3.6-25.P1.el5_11.6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160073006" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.8.2-0.37.rc1.el6_7.6</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160073008" version="601">
<red-def:evr datatype="evr_string" operation="less than">32:9.9.4-29.el7_2.2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160083003" version="603">
<red-def:evr datatype="evr_string" operation="less than">10:1.5.3-105.el7_2.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160176003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:2.17-106.el7_2.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160185003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.10.1.el7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160188003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.2-35.el7_2.3</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160189003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:0.112-6.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160197004" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.6.1-1.el5_11</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160197006" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.6.1-1.el6_7</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160197008" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:38.6.1-1.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160204003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.3.4.0-26.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160212003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:3.10.0-327.10.1.rt56.211.el7_2</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160301003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:1.0.1e-42.el6_7.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160301005" version="601">
<red-def:evr datatype="evr_string" operation="less than">1:1.0.1e-51.el7_2.4</red-def:evr>
</red-def:rpminfo_state>
<red-def:rpminfo_state id="oval:com.redhat.rhsa:ste:20160346003" version="601">
<red-def:evr datatype="evr_string" operation="less than">0:9.2.15-1.el7_2</red-def:evr>
</red-def:rpminfo_state>
</states>
</oval_definitions>
false
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/testing_data/evaluation_spec_cve_scan.xml�������������������������������0000644�0001751�0000033�00000000220�13163222324�024617� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������cve_scanlocalhostfalse
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/testing_data/evaluation_spec_sds.xml������������������������������������0000644�0001751�0000033�00002746244�13163222324�023660� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
sdslocalhost
<?xml version="1.0" encoding="UTF-8"?>
<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_ssg-fedora-xccdf-1.2.xml" schematron-version="1.0">
<ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf-1.2.xml" scap-version="1.2" use-case="OTHER">
<ds:dictionaries>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-fedora-cpe-dictionary.xml" xlink:href="#scap_org.open-scap_comp_output--ssg-fedora-cpe-dictionary.xml">
<cat:catalog>
<cat:uri name="ssg-fedora-cpe-oval.xml" uri="#scap_org.open-scap_cref_output--ssg-fedora-cpe-oval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:dictionaries>
<ds:checklists>
<ds:component-ref id="scap_org.open-scap_cref_ssg-fedora-xccdf-1.2.xml" xlink:href="#scap_org.open-scap_comp_ssg-fedora-xccdf-1.2.xml">
<cat:catalog>
<cat:uri name="ssg-fedora-oval.xml" uri="#scap_org.open-scap_cref_ssg-fedora-oval.xml"/>
</cat:catalog>
</ds:component-ref>
</ds:checklists>
<ds:checks>
<ds:component-ref id="scap_org.open-scap_cref_ssg-fedora-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-fedora-oval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-fedora-cpe-oval.xml" xlink:href="#scap_org.open-scap_comp_output--ssg-fedora-cpe-oval.xml"/>
<ds:component-ref id="scap_org.open-scap_cref_output--ssg-fedora-oval.xml" xlink:href="#scap_org.open-scap_comp_output--ssg-fedora-oval.xml"/></ds:checks>
</ds:data-stream>
<ds:component id="scap_org.open-scap_comp_ssg-fedora-oval.xml" timestamp="2015-03-17T12:23:34">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>python</oval:product_name>
<oval:product_version>2.6.6</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2011-09-21T13:44:00</oval:timestamp>
</generator>
<definitions>
<definition class="compliance" id="oval:ssg:def:125" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Multiple NTP Servers for time synchronization should be
specified</description>
<reference source="galford" ref_id="20141107" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_multiple_servers" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:126"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:127" version="1">
<metadata>
<title>No nullok Option in /etc/pam.d/system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_empty_passwords" source="ssg"/></metadata>
<criteria>
<criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="oval:ssg:tst:128"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:129" version="1">
<metadata>
<title>Set Password minclass Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minclass should meet the minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minclass" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for minclass are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:131"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:100" version="1">
<metadata>
<title>Fedora release 19 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 19 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora19" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 19 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:132" version="1">
<metadata>
<title>Package openssh-server Removed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package openssh-server should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_openssh-server_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package openssh-server is removed" test_ref="oval:ssg:tst:133"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:134" version="1">
<metadata>
<title>Package dconf Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package dconf should be installed.</description>
<reference source="galford" ref_id="20140424" ref_url="test_attestation"/>
<reference ref_id="package_dconf_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package dconf is installed" test_ref="oval:ssg:tst:135"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:136" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The maximum password age policy should meet minimum requirements.</description>
<reference source="JL" ref_id="RHEL6_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150130" ref_url="test_attestation"/>
<reference ref_id="accounts_maximum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:137"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:138" version="1">
<metadata>
<title>Verify that System Executables Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
/usr/local/sbin, and objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:139"/>
<criterion test_ref="oval:ssg:tst:140"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:141" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH idle timeout interval should be set to an
appropriate value.</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140224" ref_url="test_attestation" /> -->
<reference ref_id="sshd_set_idle_timeout" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:143"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:144" version="1">
<metadata>
<title>Enable GNOME3 Login Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GNOME3 Login warning banner.</description>
<reference source="galford" ref_id="20140823" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_banner_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Enable GUI banner" test_ref="oval:ssg:tst:146"/>
<criterion comment="Prevent user from disabling banner" test_ref="oval:ssg:tst:147"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:148" version="1">
<metadata>
<title>Verify that Shared Library Files Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:149"/>
<criterion test_ref="oval:ssg:tst:150"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:151" version="2">
<metadata>
<title>Disable Prelinking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Fedora 20</platform>
</affected>
<description>The prelinking feature can interfere with the operation of
checksum integrity tools (e.g. AIDE), mitigates the protection provided
by ASLR, and requires additional CPU cycles by software upgrades.
</description>
<reference source="JL" ref_id="20140313" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140313" ref_url="test_attestation" /> -->
<reference ref_id="disable_prelink" source="ssg"/></metadata>
<criteria>
<criterion comment="Ensure prelinking is disabled" test_ref="oval:ssg:tst:152"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:153" version="2">
<metadata>
<title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The password hashing algorithm should be set correctly in /etc/login.defs.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="set_password_hashing_algorithm_logindefs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:154"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:155" version="1">
<metadata>
<title>Proper Permissions User Home Directories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions should be set correctly for the home directories for all user accounts.</description>
<reference source="JL" ref_id="RHEL6_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="Fedora20_20141106" ref_url="test_attestation"/>
<reference ref_id="file_permissions_home_dirs" source="ssg"/></metadata>
<criteria>
<criterion comment="home directories" test_ref="oval:ssg:tst:156" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:157" version="3">
<metadata>
<title>Lock out account after failed login attempts</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The number of allowed failed logins should be set correctly.</description>
<reference source="JL" ref_id="RHEL6_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150122" ref_url="test_attestation"/>
<reference ref_id="accounts_passwords_pam_faillock_deny" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:158" comment="pam_faillock.so preauth silent set in system-auth"/>
<criterion test_ref="oval:ssg:tst:159" comment="pam_faillock.so authfail deny value set in system-auth"/>
<criterion test_ref="oval:ssg:tst:160" comment="pam_faillock.so set in account phase of system-auth"/>
<criterion test_ref="oval:ssg:tst:161" comment="pam_faillock.so preauth silent set in password-auth"/>
<criterion test_ref="oval:ssg:tst:162" comment="pam_faillock.so authfail deny value set in password-auth"/>
<criterion test_ref="oval:ssg:tst:163" comment="pam_faillock.so set in account phase of password-auth"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:164" version="2">
<metadata>
<title>SNMP use newer protocols</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP version 1 and 2c must not be enabled.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_use_newer_protocol" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP protocols" test_ref="oval:ssg:tst:166"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:167" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>To trace malicious activity facilitated by the FTP
service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log format.
</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_log_transactions" source="ssg"/></metadata>
<criteria comment="FTP is not being used or the conditions are met" operator="OR">
<extend_definition comment="vsftp package is not installed" definition_ref="oval:ssg:def:168" negate="true"/>
<criteria comment="FTP configuration conditions are not set or are met" operator="AND">
<criterion comment="log ftp transactions enable" test_ref="oval:ssg:tst:169"/>
<criterion comment="log ftp transactions format" test_ref="oval:ssg:tst:170"/>
<criterion comment="log ftp transactions protocol" test_ref="oval:ssg:tst:171"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:172" version="1">
<metadata>
<title>Implement Blank Screensaver</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The GNOME3 screensaver should be blank.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_mode_blank" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable blank screensaver and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver is blank" test_ref="oval:ssg:tst:173"/>
<criterion comment="screensaver prevent user from changing mode" test_ref="oval:ssg:tst:174"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:175" version="2">
<metadata>
<title>Kernel Runtime Parameter "kernel.exec-shield" Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.</description>
<reference source="galford" ref_id="201410" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_exec_shield" source="ssg"/></metadata>
<criteria operator="OR">
<criteria operator="AND" comment="system is RHEL6">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="32-bit system" definition_ref="oval:ssg:def:178"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="64-bit system" definition_ref="oval:ssg:def:179"/>
<criterion comment="NX is supported and is not disabled" test_ref="oval:ssg:tst:180"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:181" version="1">
<metadata>
<title>Package ntp Installed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package ntp should be installed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_ntp_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package ntp is installed" test_ref="oval:ssg:tst:182"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:165" version="1">
<metadata>
<title>Package net-snmp Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package net-snmp should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_net-snmp_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package net-snmp is removed" test_ref="oval:ssg:tst:183"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:179" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86_64 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86_64 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86_64" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg:tst:184"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:185" version="1">
<metadata>
<title>Set Password retry Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password retry should meet minimum
requirements</description>
<reference source="swells" ref_id="20140925" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_retry" source="ssg"/></metadata>
<criteria operator="OR" comment="Conditions for retry are satisfied">
<criteria operator="AND" comment="system is RHEL6 with pam_cracklib configured">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="rhel6 pam_cracklib" test_ref="oval:ssg:tst:186"/>
</criteria>
<criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">
<extend_definition comment="RHEL7 installed" definition_ref="oval:ssg:def:107"/>
<criterion comment="rhel7 pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
<criteria operator="AND" comment="system is Fedora with pam_pwquality configured">
<extend_definition comment="Fedora installed" definition_ref="oval:ssg:def:100"/>
<criterion comment="Fedora pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:188" version="1">
<metadata>
<title>Package Antivirus Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Antivirus software should be installed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="install_antivirus" source="ssg"/></metadata>
<criteria comment="Antivirus is not being used or conditions are met">
<criterion comment="Linuxshield AntiVirus package is installed" test_ref="oval:ssg:tst:189"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:190" version="1">
<metadata>
<title>Set Password minlen Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minlen should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minlen" source="ssg"/></metadata>
<criteria operator="AND" comment="system uses pam_pwquality configured">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pam_pwquality" test_ref="oval:ssg:tst:191"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:103" version="1">
<metadata>
<title>Fedora release 20 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 20 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora20" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 20 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:192" version="1">
<metadata>
<title>File grub.cfg Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_permissions_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:193"/>
<criterion test_ref="oval:ssg:tst:194"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:195" version="1">
<metadata>
<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Ensure all yum repositories utilize signature checking.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7 <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_never_disabled" source="ssg"/></metadata>
<criteria comment="ensure all yum repositories utilize signiature checking" operator="AND">
<criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files" test_ref="oval:ssg:tst:196"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:197" version="1">
<metadata>
<title>Enable GUI Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GUI warning banner.</description>
<reference source="galford" ref_id="20140902" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_login_banner_text" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Prevent user from changing banner" test_ref="oval:ssg:tst:198"/>
<criterion comment="Login banner is correctly set" test_ref="oval:ssg:tst:199"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:200" version="1">
<metadata>
<title>Verify No netrc Files Exist</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="no_netrc_files" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:201" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:178" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86 architecture" test_ref="oval:ssg:tst:202"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:203" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>A remote NTP Server for time synchronization should be
specified (and dependencies are met)</description>
<reference source="galford" ref_id="20141111" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_remote_server" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:204"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:205" version="1">
<metadata>
<title>Set ClientAliveCountMax for User Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_set_keepalive" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:206"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:207" version="1">
<metadata>
<title>System Accounts Do Not Run a Shell</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The root account is the only system account that should have a login shell.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_shelllogin_for_systemaccounts" source="ssg"/></metadata>
<criteria>
<criterion comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" test_ref="oval:ssg:tst:208"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:168" version="1">
<metadata>
<title>Package vsftpd Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package vsftpd should be installed.</description>
<reference source="JL" ref_id="20140522" ref_url="test_attestation"/>
<reference ref_id="package_vsftpd_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package vsftpd is installed" test_ref="oval:ssg:tst:209"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:210" version="1">
<metadata>
<title>Ensure insecure_locks is disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Allowing insecure file locking could allow for sensitive
data to be viewed or edited by an unauthorized user.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="no_insecure_locks_exports" source="ssg"/></metadata>
<criteria>
<criterion comment="Check for insecure NFS locks in /etc/exports" test_ref="oval:ssg:tst:211"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:212" version="2">
<metadata>
<title>SNMP default communities disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP default communities must be removed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_not_default_password" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP communities" test_ref="oval:ssg:tst:213"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:214" version="2">
<metadata>
<title>Set Password ucredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ucredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ucredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ucredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:215"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:130" version="1">
<metadata>
<title>Check pam_pwquality Existence in system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Check that pam_pwquality.so exists in system-auth</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_pwquality" source="ssg"/></metadata>
<criteria>
<criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg:tst:216"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:217" version="1">
<metadata>
<title>Disable GNOME3 Automounting</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_automount" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable automount in GNOME3" test_ref="oval:ssg:tst:218"/>
<criterion comment="Disable automount-open in GNOME3" test_ref="oval:ssg:tst:219"/>
<criterion comment="Disable autorun in GNOME3" test_ref="oval:ssg:tst:220"/>
<criterion comment="Prevent user from changing automount setting" test_ref="oval:ssg:tst:221"/>
<criterion comment="Prevent user from changing automount-open setting" test_ref="oval:ssg:tst:222"/>
<criterion comment="Prevent user from changing autorun setting" test_ref="oval:ssg:tst:223"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:142" version="1">
<metadata>
<title>Service sshd Disabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The sshd service should be disabled.
</description>
<reference ref_id="service_sshd_disabled" source="ssg"/></metadata>
<criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
<extend_definition comment="openssh-server removed" definition_ref="oval:ssg:def:132"/>
<criterion comment="sshd disabled in multi-user.target" test_ref="oval:ssg:tst:224"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:225" version="1">
<metadata>
<title>Limit Password Reuse</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The passwords to remember should be set correctly.</description>
<reference source="SDW" ref_id="20131025" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_unix_remember" source="ssg"/></metadata>
<criteria>
<criterion comment="remember parameter is set to 0" test_ref="oval:ssg:tst:226"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:227" version="1">
<metadata>
<title>Disable Empty Passwords</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Remote connections from accounts with empty passwords should
be disabled (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_empty_passwords" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitEmptyPasswords in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:228"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:104" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 6</description>
<reference ref_id="installed_OS_is_rhel6" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:105"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:ssg:tst:106"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:229" version="2">
<metadata>
<title>Set Password ocredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ocredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ocredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ocredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:230"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:231" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password expiration warning age should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_warn_age_login_defs" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:232"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:233" version="1">
<metadata>
<title>Verify that System Executables Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, and /usr/local/sbin, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:234"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:235" version="1">
<metadata>
<title>Set Password maxrepeat Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password maxrepeat should meet minimum
requirements using pam_pwquality</description>
<reference source="galford" ref_id="20141006" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_maxrepeat" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for maxrepeat are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:236"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:237" version="1">
<metadata>
<title>File grub.cfg Owned By root User</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_user_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:238"/>
<criterion test_ref="oval:ssg:tst:239"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:240" version="1">
<metadata>
<title>Verify that Shared Library Files Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:241"/>
<criterion test_ref="oval:ssg:tst:242"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:243" version="1">
<metadata>
<title>Disable root Login via SSH</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Root login via SSH should be disabled (and dependencies are
met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_root_login" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:244"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:245" version="1">
<metadata>
<title>Restrict Serial Port Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to serial port interfaces helps
ensure accountability for actions taken on the system using the root
account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="restrict_serial_port_logins" source="ssg"/></metadata>
<criteria>
<criterion comment="serial ports /etc/securetty" test_ref="oval:ssg:tst:246" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:247" version="2">
<metadata>
<title>Set Password difok Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password difok should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_difok" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for difok are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:248"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:249" version="1">
<metadata>
<title>Ensure Yum gpgcheck Globally Activated</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7: <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_globally_activated" source="ssg"/></metadata>
<criteria>
<criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="oval:ssg:tst:250"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:251" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minimum length should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_minlen_login_defs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:252"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:253" version="2">
<metadata>
<title>System Login Banner Compliance</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The system login banner text should be set correctly.</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="banner_etc_issue" source="ssg"/></metadata>
<criteria>
<criterion comment="/etc/issue is set appropriately" test_ref="oval:ssg:tst:254"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:255" version="1">
<metadata>
<title>Disable All GNOME3 Thumbnailers</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, uses a
number of different thumbnailer programs to generate thumbnails for any
new or modified content in an opened folder. Disable the execution of
these thumbnail applications within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_thumbnailers" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable Gnome3 Thumbnailers and prevent user from enabling" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable thumbnailers in GNOME3" test_ref="oval:ssg:tst:256"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:257"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:145" version="1">
<metadata>
<title>Implement Local DB for DConf User Profile</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The DConf User profile should have the local DB configured.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="enable_dconf_user_profile" source="ssg"/></metadata>
<criteria>
<criterion comment="dconf user profile exists" test_ref="oval:ssg:tst:258"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:259" version="2">
<metadata>
<title>Kernel Runtime Parameter IPv6 Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Disables IPv6 for all network interfaces.</description>
<reference source="galford" ref_id="20141015" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_ipv6_disable" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Disable IPv6 runtime check" test_ref="oval:ssg:tst:260"/>
<criterion comment="Disable IPv6 in sysctl.d conf file" test_ref="oval:ssg:tst:261"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:262" version="2">
<metadata>
<title>Set Password lcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password lcredit should meet minimum requirements</description>
<reference source="swells" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_lcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for lcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:263"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:264" version="1">
<metadata>
<title>Set Boot Loader Password</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub2 boot loader should have password protection enabled.</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="bootloader_password" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="make sure a password is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:265"/>
<criterion comment="make sure a superuser is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:266"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:267" version="1">
<metadata>
<title>All Password Hashes Shadowed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>All password hashes should be shadowed.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="accounts_password_all_shadowed" source="ssg"/></metadata>
<criteria>
<criterion comment="password hashes are shadowed" test_ref="oval:ssg:tst:268"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:269" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Idle Activation</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen saver should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_activation_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle activation has been configured" test_ref="oval:ssg:tst:270"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:271"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:272" version="1">
<metadata>
<title>Service ntpd Enabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The ntpd service should be enabled.
</description>
<reference ref_id="service_ntpd_enabled" source="ssg"/></metadata>
<criteria comment="package ntp installed and service ntpd is configured to start" operator="AND">
<extend_definition comment="ntp installed" definition_ref="oval:ssg:def:181"/>
<criterion comment="ntpd multi-user.target" test_ref="oval:ssg:tst:273"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:274" version="2">
<metadata>
<title>Write permissions are disabled for group and other in all
directories in Root's Path</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Check each directory in root's path and make use it does
not grant write permission to group and other</description>
<reference source="JL" ref_id="RHEL6_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20141119" ref_url="test_attestation"/>
<reference ref_id="accounts_root_path_dirs_no_write" source="ssg"/></metadata>
<criteria comment="Check that write permission to group and other in root's path is denied">
<criterion comment="Check for write permission to group and other in root's path" test_ref="oval:ssg:tst:275"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:107" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 7</description>
<reference ref_id="installed_OS_is_rhel7" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:108"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:ssg:tst:109"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:ssg:tst:110"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:276" version="1">
<metadata>
<title>UID 0 Belongs Only To Root</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Only the root account should be assigned a user id of 0.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140303" ref_url="test_attestation" /> -->
<reference ref_id="accounts_no_uid_except_zero" source="ssg"/></metadata>
<criteria>
<criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="oval:ssg:tst:277"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:278" version="1">
<metadata>
<title>File grub.cfg Owned By root Group </title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_group_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:279"/>
<criterion test_ref="oval:ssg:tst:280"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:281" version="1">
<metadata>
<title>Restrict Virtual Console Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system using the
root account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="securetty_root_login_console_only" source="ssg"/></metadata>
<criteria>
<criterion comment="virtual consoles /etc/securetty" test_ref="oval:ssg:tst:282"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:283" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The minimum password age policy should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_minimum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:284"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:285" version="1">
<metadata>
<title>Set Password dcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password dcredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_dcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for dcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:286"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:287" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Lock After Idle Period</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen lock should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_lock_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver lock is enabled" test_ref="oval:ssg:tst:288"/>
<criterion comment="screensaver lock prevent user from changing" test_ref="oval:ssg:tst:289"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:292" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>This setting will cause the system greeting banner to be
used for FTP connections as well.</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_present_banner" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="vsftpd package is not installed" negate="true" definition_ref="oval:ssg:def:168"/>
<criterion comment="Banner for FTP Users" test_ref="oval:ssg:tst:293"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:294" version="1">
<metadata>
<title>Configure the GNOME3 GUI Screen locking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The allowed period of inactivity before the screensaver is activated.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_delay" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle delay has been configured" test_ref="oval:ssg:tst:295"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:296"/>
<criterion comment="idle delay is set correctly" test_ref="oval:ssg:tst:297"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:298" version="1">
<metadata>
<title>Require Authentication for Single-User Mode</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The requirement for a password to boot into single-user mode
should be configured correctly.</description>
<reference source="galford" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="require_singleuser_auth" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Conditions are satisfied" test_ref="oval:ssg:tst:299"/>
<criterion test_ref="oval:ssg:tst:300"/>
<criterion test_ref="oval:ssg:tst:301" negate="true"/>
<criterion test_ref="oval:ssg:tst:302" negate="true"/>
</criteria>
</definition>
</definitions>
<tests>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:126" version="1">
<ind:object object_ref="oval:ssg:obj:303"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="oval:ssg:tst:128" version="1">
<ind:object object_ref="oval:ssg:obj:304"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:131" version="1">
<ind:object object_ref="oval:ssg:obj:305"/>
<ind:state state_ref="oval:ssg:ste:306"/>
</ind:textfilecontent54_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:101" version="1">
<ind:object object_ref="oval:ssg:obj:111"/>
<ind:state state_ref="oval:ssg:ste:112"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="oval:ssg:tst:102" version="1">
<linux:object object_ref="oval:ssg:obj:113"/>
<linux:state state_ref="oval:ssg:ste:114"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:133" version="1" comment="package openssh-server is removed">
<linux:object object_ref="oval:ssg:obj:307"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:135" version="1" comment="package dconf is installed">
<linux:object object_ref="oval:ssg:obj:308"/>
</linux:rpminfo_test>
<ind:variable_test id="oval:ssg:tst:137" check="all" comment="The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:309"/>
<ind:state state_ref="oval:ssg:ste:310"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary directories uid root" id="oval:ssg:tst:139" version="1">
<unix:object object_ref="oval:ssg:obj:311"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files uid root" id="oval:ssg:tst:140" version="1">
<unix:object object_ref="oval:ssg:obj:312"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="oval:ssg:tst:143" version="1">
<ind:object object_ref="oval:ssg:obj:313"/>
<ind:state state_ref="oval:ssg:ste:314"/>
<ind:state state_ref="oval:ssg:ste:315"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner is enabled" id="oval:ssg:tst:146" version="1">
<ind:object object_ref="oval:ssg:obj:316"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:147" version="1">
<ind:object object_ref="oval:ssg:obj:317"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="oval:ssg:tst:149" version="1">
<unix:object object_ref="oval:ssg:obj:318"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="oval:ssg:tst:150" version="1">
<unix:object object_ref="oval:ssg:obj:319"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests whether prelinking is disabled" id="oval:ssg:tst:152" version="1">
<ind:object object_ref="oval:ssg:obj:320"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:154" check="all" comment="The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:321"/>
<ind:state state_ref="oval:ssg:ste:322"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="oval:ssg:tst:156" version="1">
<unix:object object_ref="oval:ssg:obj:323"/>
<unix:state state_ref="oval:ssg:ste:324"/>
</unix:file_test>
<ind:textfilecontent54_test id="oval:ssg:tst:158" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:325"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:159" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:327"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:160" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:328"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:161" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:329"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:162" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:330"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:163" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:331"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:166" version="1">
<ind:object object_ref="oval:ssg:obj:332"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:169" version="1">
<ind:object object_ref="oval:ssg:obj:333"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:170" version="1">
<ind:object object_ref="oval:ssg:obj:334"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:171" version="1">
<ind:object object_ref="oval:ssg:obj:335"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver mode is blank" id="oval:ssg:tst:173" version="1">
<ind:object object_ref="oval:ssg:obj:336"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="blank screensaver cannot be changed by user" id="oval:ssg:tst:174" version="1">
<ind:object object_ref="oval:ssg:obj:337"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter kernel.exec-shield set to 1" id="oval:ssg:tst:176" version="1">
<unix:object object_ref="oval:ssg:obj:338"/>
<unix:state state_ref="oval:ssg:ste:339"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel.exec-shield static configuration" id="oval:ssg:tst:177" version="1">
<ind:object object_ref="oval:ssg:obj:340"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NX is disabled" id="oval:ssg:tst:180" version="1">
<ind:object object_ref="oval:ssg:obj:341"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:182" version="1" comment="package ntp is installed">
<linux:object object_ref="oval:ssg:obj:342"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:183" version="1" comment="package net-snmp is removed">
<linux:object object_ref="oval:ssg:obj:343"/>
</linux:rpminfo_test>
<unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg:tst:184" version="1">
<unix:object object_ref="oval:ssg:obj:344"/>
<unix:state state_ref="oval:ssg:ste:345"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:186" version="1">
<ind:object object_ref="oval:ssg:obj:346"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:187" version="1">
<ind:object object_ref="oval:ssg:obj:348"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:189" version="1" comment="AntiVirus package is installed">
<linux:object object_ref="oval:ssg:obj:349"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:191" version="1">
<ind:object object_ref="oval:ssg:obj:350"/>
<ind:state state_ref="oval:ssg:ste:351"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg:tst:193" version="1">
<unix:object object_ref="oval:ssg:obj:352"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:194" version="1">
<unix:object object_ref="oval:ssg:obj:354"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of gpgcheck=0 in /etc/yum.repos.d/ files" id="oval:ssg:tst:196" version="1">
<ind:object object_ref="oval:ssg:obj:355"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:198" version="1">
<ind:object object_ref="oval:ssg:obj:356"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="login banner text is correctly set" id="oval:ssg:tst:199" version="1">
<ind:object object_ref="oval:ssg:obj:357"/>
<ind:state state_ref="oval:ssg:ste:358"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="oval:ssg:tst:201" version="1">
<unix:object object_ref="oval:ssg:obj:359"/>
</unix:file_test>
<unix:uname_test check="all" comment="32 bit architecture" id="oval:ssg:tst:202" version="1">
<unix:object object_ref="oval:ssg:obj:360"/>
<unix:state state_ref="oval:ssg:ste:361"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:204" version="1">
<ind:object object_ref="oval:ssg:obj:362"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:206" version="1">
<ind:object object_ref="oval:ssg:obj:363"/>
<ind:state state_ref="oval:ssg:ste:364"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" id="oval:ssg:tst:208" version="1">
<ind:object object_ref="oval:ssg:obj:365"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:209" version="1" comment="package vsftpd is installed">
<linux:object object_ref="oval:ssg:obj:366"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the insecure locks in /etc/exports" id="oval:ssg:tst:211" version="1">
<ind:object object_ref="oval:ssg:obj:367"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:213" version="1">
<ind:object object_ref="oval:ssg:obj:368"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:215" version="1">
<ind:object object_ref="oval:ssg:obj:369"/>
<ind:state state_ref="oval:ssg:ste:370"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:216" version="1">
<ind:object object_ref="oval:ssg:obj:371"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount in GNOME3" id="oval:ssg:tst:218" version="1">
<ind:object object_ref="oval:ssg:obj:372"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount setting" id="oval:ssg:tst:221" version="1">
<ind:object object_ref="oval:ssg:obj:373"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount-open in GNOME" id="oval:ssg:tst:219" version="1">
<ind:object object_ref="oval:ssg:obj:374"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount-open setting" id="oval:ssg:tst:222" version="1">
<ind:object object_ref="oval:ssg:obj:375"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable autorun in GNOME" id="oval:ssg:tst:220" version="1">
<ind:object object_ref="oval:ssg:obj:376"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing autorun setting" id="oval:ssg:tst:223" version="1">
<ind:object object_ref="oval:ssg:obj:377"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:224" version="1">
<unix:object object_ref="oval:ssg:obj:378"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="remember is set in /etc/pam.d/system-auth" id="oval:ssg:tst:226" version="1">
<ind:object object_ref="oval:ssg:obj:379"/>
<ind:state state_ref="oval:ssg:ste:380"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:228" version="1">
<ind:object object_ref="oval:ssg:obj:381"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg:tst:105" version="1">
<linux:object object_ref="oval:ssg:obj:115"/>
<linux:state state_ref="oval:ssg:ste:116"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg:tst:106" version="1">
<linux:object object_ref="oval:ssg:obj:117"/>
<linux:state state_ref="oval:ssg:ste:118"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:230" version="1">
<ind:object object_ref="oval:ssg:obj:382"/>
<ind:state state_ref="oval:ssg:ste:383"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:232" check="all" comment="The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:384"/>
<ind:state state_ref="oval:ssg:ste:385"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files go-w" id="oval:ssg:tst:234" version="1">
<unix:object object_ref="oval:ssg:obj:386"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:236" version="1">
<ind:object object_ref="oval:ssg:obj:387"/>
<ind:state state_ref="oval:ssg:ste:388"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:238" version="1">
<unix:object object_ref="oval:ssg:obj:389"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:239" version="1">
<unix:object object_ref="oval:ssg:obj:391"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="oval:ssg:tst:241" version="1">
<unix:object object_ref="oval:ssg:obj:392"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="oval:ssg:tst:242" version="1">
<unix:object object_ref="oval:ssg:obj:393"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:244" version="1">
<ind:object object_ref="oval:ssg:obj:394"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="serial ports /etc/securetty" id="oval:ssg:tst:246" version="1">
<ind:object object_ref="oval:ssg:obj:395"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:248" version="1">
<ind:object object_ref="oval:ssg:obj:396"/>
<ind:state state_ref="oval:ssg:ste:397"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="oval:ssg:tst:250" version="1">
<ind:object object_ref="oval:ssg:obj:398"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:252" check="all" comment="The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:399"/>
<ind:state state_ref="oval:ssg:ste:400"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="oval:ssg:tst:254" version="1">
<ind:object object_ref="oval:ssg:obj:401"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable thumbnailers in GNOME3" id="oval:ssg:tst:256" version="1">
<ind:object object_ref="oval:ssg:obj:402"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot enable thumbnailers " id="oval:ssg:tst:257" version="1">
<ind:object object_ref="oval:ssg:obj:403"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="dconf user profile exists" id="oval:ssg:tst:258" version="1">
<ind:object object_ref="oval:ssg:obj:404"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="Disable IPv6 runtime check" id="oval:ssg:tst:260" version="1">
<unix:object object_ref="oval:ssg:obj:405"/>
<unix:state state_ref="oval:ssg:ste:406"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable IPv6 in sysctl.d conf file" id="oval:ssg:tst:261" version="1">
<ind:object object_ref="oval:ssg:obj:407"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:263" version="1">
<ind:object object_ref="oval:ssg:obj:408"/>
<ind:state state_ref="oval:ssg:ste:409"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in /etc/grub2.cfg files. Superuser is not root, admin, or administrator" id="oval:ssg:tst:266" version="1">
<ind:object object_ref="oval:ssg:obj:410"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /etc/grub2.cfg" id="oval:ssg:tst:265" version="1">
<ind:object object_ref="oval:ssg:obj:411"/>
</ind:textfilecontent54_test>
<unix:password_test check="all" comment="password hashes are shadowed" id="oval:ssg:tst:268" version="1">
<unix:object object_ref="oval:ssg:obj:412"/>
<unix:state state_ref="oval:ssg:ste:413"/>
</unix:password_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="idle delay is configured" id="oval:ssg:tst:270" version="1">
<ind:object object_ref="oval:ssg:obj:414"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change idle_activation_enabled" id="oval:ssg:tst:271" version="1">
<ind:object object_ref="oval:ssg:obj:415"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:273" version="1">
<unix:object object_ref="oval:ssg:obj:416"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="Check if there aren't directories in root's path having write permission set for group or other" id="oval:ssg:tst:275" version="1">
<unix:object object_ref="oval:ssg:obj:417"/>
</unix:file_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:108" version="1">
<ind:object object_ref="oval:ssg:obj:119"/>
<ind:state state_ref="oval:ssg:ste:120"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg:tst:109" version="1">
<linux:object object_ref="oval:ssg:obj:121"/>
<linux:state state_ref="oval:ssg:ste:122"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg:tst:110" version="1">
<linux:object object_ref="oval:ssg:obj:123"/>
<linux:state state_ref="oval:ssg:ste:124"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="oval:ssg:tst:277" version="1">
<ind:object object_ref="oval:ssg:obj:418"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:279" version="1">
<unix:object object_ref="oval:ssg:obj:419"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:280" version="1">
<unix:object object_ref="oval:ssg:obj:421"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="virtual consoles /etc/securetty" id="oval:ssg:tst:282" version="1">
<ind:object object_ref="oval:ssg:obj:422"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:284" check="all" comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:423"/>
<ind:state state_ref="oval:ssg:ste:424"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:286" version="1">
<ind:object object_ref="oval:ssg:obj:425"/>
<ind:state state_ref="oval:ssg:ste:426"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is enabled" id="oval:ssg:tst:288" version="1">
<ind:object object_ref="oval:ssg:obj:427"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock cannot be changed by user" id="oval:ssg:tst:289" version="1">
<ind:object object_ref="oval:ssg:obj:428"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is set correctly" id="oval:ssg:tst:290" version="1">
<ind:object object_ref="oval:ssg:obj:429"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay cannot be changed by user" id="oval:ssg:tst:291" version="1">
<ind:object object_ref="oval:ssg:obj:430"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Banner for FTP Users" id="oval:ssg:tst:293" version="1">
<ind:object object_ref="oval:ssg:obj:431"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay is configured" id="oval:ssg:tst:295" version="1">
<ind:object object_ref="oval:ssg:obj:432"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change screensaver idle delay" id="oval:ssg:tst:296" version="1">
<ind:object object_ref="oval:ssg:obj:433"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay setting is correct" id="oval:ssg:tst:297" version="1">
<ind:object object_ref="oval:ssg:obj:434"/>
<ind:state state_ref="oval:ssg:ste:435"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode" id="oval:ssg:tst:299" version="1">
<ind:object object_ref="oval:ssg:obj:436"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that the systemd rescue.service is in the runlevel1.target" id="oval:ssg:tst:300" version="1">
<ind:object object_ref="oval:ssg:obj:437"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:tst:302" version="1">
<unix:object object_ref="oval:ssg:obj:438"/>
</unix:file_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:tst:301" version="1">
<unix:object object_ref="oval:ssg:obj:439"/>
</unix:file_test>
</tests>
<objects>
<ind:textfilecontent54_object comment="Ensure more than one NTP server is set" id="oval:ssg:obj:303" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:304" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:305" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:family_object id="oval:ssg:obj:111" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:113" version="1">
<linux:name>fedora-release</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:307" version="1">
<linux:name>openssh-server</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:308" version="1">
<linux:name>dconf</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:440" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MAX_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:309" version="1">
<ind:var_ref>oval:ssg:var:441</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary directories" id="oval:ssg:obj:311" version="1">
<!-- Check that /bin, /sbin, /usr/sbin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:312" version="1">
<!-- Check that files within /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:313" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:316" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:317" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-enable$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:318" version="1">
<!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:319" version="1">
<!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:320" version="2">
<ind:filepath>/etc/sysconfig/prelink</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:444" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last ENCRYPT_METHOD directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of ENCRYPT_METHOD directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:321" version="1">
<ind:var_ref>oval:ssg:var:445</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="home directories" id="oval:ssg:obj:323" version="2">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="exclude">oval:ssg:ste:446</filter>
<filter action="include">oval:ssg:ste:324</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:325" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:327" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:328" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:329" version="1">
<!-- Read whole /etc/pam.d/password-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:330" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:331" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:332" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:333" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_enable[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:334" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_std_format[\s]*=[\s]*NO$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:335" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*log_ftp_protocol[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:336" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=\'\'$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:337" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/picture-uri$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:340" version="1">
<ind:filepath>/etc/sysctl.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:338" version="1">
<unix:name>kernel.exec-shield</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:341" version="1">
<ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">[\s]*noexec[\s]*=[\s]*off</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:342" version="1">
<linux:name>ntp</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:343" version="1">
<linux:name>net-snmp</linux:name>
</linux:rpminfo_object>
<unix:uname_object comment="64 bit architecture" id="oval:ssg:obj:344" version="1"/>
<ind:textfilecontent54_object id="oval:ssg:obj:346" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:348" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:349" version="1">
<linux:name>McAfeeVSEForLinux</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:350" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:352" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:354" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:355" version="1">
<ind:path>/etc/yum.repos.d</ind:path>
<ind:filename operation="pattern match">.*</ind:filename>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:356" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-text$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:357" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^banner-message-text=[\s']*([^']*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for .netrc in /home" id="oval:ssg:obj:359" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename operation="pattern match">^\.netrc$</unix:filename>
</unix:file_object>
<unix:uname_object comment="32 bit architecture" id="oval:ssg:obj:360" version="1"/>
<ind:textfilecontent54_object comment="Ensure at least one NTP server is set" id="oval:ssg:obj:362" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:363" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:365" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:366" version="1">
<linux:name>vsftpd</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:367" version="2">
<ind:filepath>/etc/exports</ind:filepath>
<ind:pattern operation="pattern match">^(.*?(\binsecure_locks\b)[^$]*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:368" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:369" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ucredit[s\]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:371" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:372" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:373" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:374" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:375" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:376" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:377" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:378" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/sshd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:379" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:381" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:115" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:117" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:382" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:448" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_WARN_AGE directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_WARN_AGE directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:384" version="1">
<ind:var_ref>oval:ssg:var:449</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:386" version="1">
<!-- Check that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
and /usr/local/sbin directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:450</filter>
<filter action="exclude">oval:ssg:ste:451</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:387" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:389" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:391" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:392" version="1">
<!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:393" version="1">
<!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:394" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="serial ports /etc/securetty" id="oval:ssg:obj:395" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^ttyS[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:396" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^difok[\s]*=[\s]*(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:398" comment="gpgcheck set in /etc/yum.conf" version="1">
<ind:filepath>/etc/yum.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:454" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_LEN directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_LEN directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:399" version="1">
<ind:var_ref>oval:ssg:var:455</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:401" version="1">
<ind:filepath>/etc/issue</ind:filepath>
<ind:pattern var_ref="oval:ssg:var:456" operation="pattern match"/>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:402" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:403" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/thumbnailers/disable-all$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:404" version="2">
<ind:filepath>/etc/dconf/profile/user</ind:filepath>
<ind:pattern operation="pattern match">^user-db:user\nsystem-db:local$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:407" version="1">
<ind:filepath>/etc/sysctl.d/ipv6.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:405" version="1">
<unix:name>net.ipv6.conf.all.disable_ipv6</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:408" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:410" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:411" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:password_object id="oval:ssg:obj:412" version="1">
<unix:username operation="pattern match">.*</unix:username>
</unix:password_object>
<ind:textfilecontent54_object id="oval:ssg:obj:414" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:415" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/idle-activation-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:416" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/ntpd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:environmentvariable58_object id="oval:ssg:obj:457" version="1">
<ind:pid xsi:nil="true" datatype="int"/>
<ind:name>PATH</ind:name>
</ind:environmentvariable58_object>
<unix:file_object comment="root's path directories with wrong group / other write permissions" id="oval:ssg:obj:417" version="1">
<unix:path var_ref="oval:ssg:var:458" var_check="at least one"/>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:459</filter>
<filter action="exclude">oval:ssg:ste:460</filter>
</unix:file_object>
<ind:family_object id="oval:ssg:obj:119" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:121" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:123" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:418" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:419" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:421" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object comment="virtual consoles /etc/securetty" id="oval:ssg:obj:422" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^vc/[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:461" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:423" version="1">
<ind:var_ref>oval:ssg:var:462</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:425" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:427" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:428" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:429" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=0$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:430" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="Banner for FTP Users" id="oval:ssg:obj:431" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*banner_file[\s]*=[\s]*/etc/issue*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:432" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=[0-9]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:433" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/session/idle-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:434" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^idle-delay[\s=]*([^=\s]*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:436" version="1">
<ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart=\-.*/sbin/sulogin</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:437" version="1">
<ind:filepath>/usr/lib/systemd/system/runlevel1.target</ind:filepath>
<ind:pattern operation="pattern match">^Requires=.*rescue.service</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:obj:438" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^rescue.service$</unix:filename>
</unix:file_object>
<unix:file_object comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:obj:439" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^runlevel1.target$</unix:filename>
</unix:file_object>
</objects>
<states>
<ind:textfilecontent54_state id="oval:ssg:ste:306" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:463"/>
</ind:textfilecontent54_state>
<ind:family_state id="oval:ssg:ste:112" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:114" version="1">
<linux:version operation="pattern match">^19$</linux:version>
</linux:rpminfo_state>
<ind:variable_state id="oval:ssg:ste:310" version="1">
<ind:value operation="less than or equal" var_ref="oval:ssg:var:464" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:442" version="1" operator="OR">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" id="oval:ssg:ste:314" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg:var:465"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" id="oval:ssg:ste:315" version="1">
<ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:443" version="1">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:322" version="1">
<ind:value operation="equals" datatype="string">SHA512</ind:value>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:446" version="1">
<!-- Exclude /home directory itself from the check. Check /home/* directories only. -->
<unix:path operation="equals">/home</unix:path>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:324" version="1" operator="OR">
<unix:suid datatype="boolean">true</unix:suid>
<unix:sgid datatype="boolean">true</unix:sgid>
<unix:sticky datatype="boolean">true</unix:sticky>
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:oread datatype="boolean">true</unix:oread>
<unix:owrite datatype="boolean">true</unix:owrite>
<unix:oexec datatype="boolean">true</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:326" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:466"/>
</ind:textfilecontent54_state>
<unix:sysctl_state id="oval:ssg:ste:339" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<unix:uname_state comment="64 bit architecture" id="oval:ssg:ste:345" version="1">
<unix:processor_type operation="equals">x86_64</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:347" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:467"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:351" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:468"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:353" version="1">
<unix:uexec datatype="boolean">false</unix:uexec>
<unix:gread datatype="boolean">false</unix:gread>
<unix:gwrite datatype="boolean">false</unix:gwrite>
<unix:gexec datatype="boolean">false</unix:gexec>
<unix:oread datatype="boolean">false</unix:oread>
<unix:owrite datatype="boolean">false</unix:owrite>
<unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:358" version="1">
<ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg:var:456"/>
</ind:textfilecontent54_state>
<unix:uname_state comment="32 bit architecture" id="oval:ssg:ste:361" version="1">
<unix:processor_type operation="equals">i686</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:364" version="1">
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:370" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:469"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:447" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:380" version="1">
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:470"/>
</ind:textfilecontent54_state>
<linux:rpminfo_state id="oval:ssg:ste:116" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:118" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<ind:textfilecontent54_state id="oval:ssg:ste:383" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:471"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:385" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:472" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:450" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:451" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:388" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:473"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:390" version="1">
<unix:user_id datatype="int">0</unix:user_id>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:452" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:453" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:397" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:474"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:400" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:475" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:sysctl_state id="oval:ssg:ste:406" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<ind:textfilecontent54_state id="oval:ssg:ste:409" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:476"/>
</ind:textfilecontent54_state>
<unix:password_state id="oval:ssg:ste:413" version="1">
<unix:password>x</unix:password>
</unix:password_state>
<unix:file_state comment="group or other has write privilege" id="oval:ssg:ste:459" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state comment="symbolic link" id="oval:ssg:ste:460" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:family_state id="oval:ssg:ste:120" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:122" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:124" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<unix:file_state id="oval:ssg:ste:420" version="1">
<unix:group_id datatype="int">0</unix:group_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:424" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:477" datatype="int" var_check="at least one"/>
</ind:variable_state>
<ind:textfilecontent54_state id="oval:ssg:ste:426" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:478"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:435" version="1">
<ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:479"/>
</ind:textfilecontent54_state>
</states>
<variables>
<external_variable comment="External variable for pam_cracklib minclass" datatype="int" id="oval:ssg:var:463" version="1"/>
<local_variable id="oval:ssg:var:441" datatype="int" comment="The value of last PASS_MAX_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MAX_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:440"/>
</regex_capture>
</local_variable>
<external_variable comment="Maximum password age" datatype="int" id="oval:ssg:var:464" version="1"/>
<external_variable comment="timeout value" datatype="int" id="oval:ssg:var:465" version="1"/>
<local_variable id="oval:ssg:var:445" datatype="string" comment="The value of last ENCRYPT_METHOD directive in /etc/login.defs" version="1">
<regex_capture pattern="ENCRYPT_METHOD\s+(\w+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:444"/>
</regex_capture>
</local_variable>
<external_variable id="oval:ssg:var:466" datatype="int" comment="number of failed login attempts allowed" version="1"/>
<external_variable comment="External variable for pam_cracklib retry" datatype="int" id="oval:ssg:var:467" version="1"/>
<external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="oval:ssg:var:468" version="1"/>
<external_variable comment="external variable for GDM login banner text" datatype="string" id="oval:ssg:var:456" version="1"/>
<external_variable comment="External variable for pam_cracklib ucredit" datatype="int" id="oval:ssg:var:469" version="1"/>
<external_variable comment="number of passwords that should be remembered" datatype="int" id="oval:ssg:var:470" version="1"/>
<external_variable comment="External variable for pam_cracklib ocredit" datatype="int" id="oval:ssg:var:471" version="1"/>
<local_variable id="oval:ssg:var:449" datatype="int" comment="The value of last PASS_WARN_AGE directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_WARN_AGE\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:448"/>
</regex_capture>
</local_variable>
<external_variable comment="password expiration warning age in days" datatype="int" id="oval:ssg:var:472" version="1"/>
<external_variable comment="External variable for pam_cracklib maxrepeat" datatype="int" id="oval:ssg:var:473" version="1"/>
<external_variable comment="External variable for pam_cracklib difok" datatype="int" id="oval:ssg:var:474" version="1"/>
<local_variable id="oval:ssg:var:455" datatype="int" comment="The value of last PASS_MIN_LEN directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_LEN\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:454"/>
</regex_capture>
</local_variable>
<external_variable comment="Password minimum length" datatype="int" id="oval:ssg:var:475" version="1"/>
<external_variable comment="External variable for pam_cracklib lcredit" datatype="int" id="oval:ssg:var:476" version="1"/>
<local_variable comment="Split the PATH on the : delimiter" datatype="string" id="oval:ssg:var:458" version="1">
<split delimiter=":">
<object_component item_field="value" object_ref="oval:ssg:obj:457"/>
</split>
</local_variable>
<local_variable id="oval:ssg:var:462" datatype="int" comment="The value of last PASS_MIN_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:461"/>
</regex_capture>
</local_variable>
<external_variable comment="Minimum password age in days" datatype="int" id="oval:ssg:var:477" version="1"/>
<external_variable comment="External variable for pam_cracklib dcredit" datatype="int" id="oval:ssg:var:478" version="1"/>
<external_variable comment="inactivity timeout variable" datatype="string" id="oval:ssg:var:479" version="1"/>
</variables>
</oval_definitions>
</ds:component>
<ds:component id="scap_org.open-scap_comp_ssg-fedora-xccdf-1.2.xml" timestamp="2015-03-17T12:23:35">
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US">
<status date="2015-03-17">draft</status>
<title xml:lang="en-US">Guide to the Secure Configuration of Fedora</title>
<description xml:lang="en-US">This guide presents a catalog of security-relevant configuration
settings for Fedora operating system formatted in the eXtensible Configuration
Checklist Description Format (XCCDF).
<br xmlns="http://www.w3.org/1999/xhtml"/>
<br xmlns="http://www.w3.org/1999/xhtml"/>
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a <i xmlns="http://www.w3.org/1999/xhtml">catalog, not a
checklist,</i> and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF <i xmlns="http://www.w3.org/1999/xhtml">Profiles</i>, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP).
</description>
<notice xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.</notice>
<front-matter xml:lang="en-US">
<p xmlns="http://www.w3.org/1999/xhtml">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="Layer_1" xml:space="preserve" height="140px" viewBox="30 100 330 150" width="350px" version="1.1" y="0px" x="0px" enable-background="new 30 100 330 150">
<g fill="#3A3B3B">
<path d="m197.1 150.3s-10.1-1.2-14.4-1.2c-7.2 0-11.0 2.6-11.0 8.3 0 6.6 3.5 7.7 12.3 9.6 10.1 2.3 14.5 4.7 14.5 13.6 0 11.2-6.1 15.6-16.1 15.6-6.0 0-16.0-1.6-16.0-1.6l0.6-4.7s9.9 1.3 15.1 1.3c7.2 0 10.8-3.1 10.8-10.2 0-5.7-3.0-7.3-11.2-8.9-10.4-2.3-15.7-4.7-15.7-14.4 0-9.8 6.4-13.6 16.3-13.6 6.0 0 15.3 1.5 15.3 1.5l-0.5 4.8z"/>
<path d="m238.7 194.6c-3.6 0.7-9.1 1.5-13.9 1.5-15.1 0-18.5-9.2-18.5-25.9 0-17.1 3.3-26.1 18.5-26.1 5.2 0 10.7 1.0 13.9 1.6l-0.2 4.7c-3.3-0.6-9.2-1.3-13.1-1.3-11.2 0-13.2 6.7-13.2 21.1 0 14.1 1.8 20.8 13.4 20.8 4.1 0 9.5-0.7 13.0-1.3l0.2 4.8z"/>
<path d="m257.5 144.9h12.3l13.9 50.5h-5.6l-3.7-13.0h-21.6l-3.7 13.0h-5.5l13.9-50.5zm-3.4 32.5h19.1l-7.7-27.7h-3.8l-7.7 27.7z"/>
<path d="m297.2 178.4v17.0h-5.6v-50.5h18.5c11.0 0 16.1 5.3 16.1 16.3 0 11.0-5.1 17.2-16.1 17.2h-12.9zm12.8-5.0c7.4 0 10.4-4.5 10.4-12.3 0-7.7-3.1-11.3-10.4-11.3h-12.8v23.6h12.8z"/>
</g>
<g fill="#676767">
<path d="m176.8 211.2s-2.8-0.3-4.0-0.3c-1.5 0-2.2 0.5-2.2 1.4 0 0.9 0.5 1.2 2.8 1.9 2.9 0.9 3.8 1.8 3.8 4.0 0 3.0-2.0 4.3-4.7 4.3-1.9 0-4.5-0.6-4.5-0.6l0.3-2.1s2.7 0.4 4.1 0.4c1.5 0 2.1-0.7 2.1-1.8 0-0.8-0.5-1.2-2.4-1.8-3.1-0.9-4.2-1.9-4.2-4.1 0-2.8 1.9-4.0 4.6-4.0 1.8 0 4.5 0.5 4.5 0.5l-0.2 2.2z"/>
<path d="m180.6 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.9v3.3h6.0v2.4h-8.8v-13.6z"/>
<path d="m201.2 222.1c-0.9 0.2-2.7 0.5-4.0 0.5-4.2 0-5.2-2.3-5.2-7.0 0-5.2 1.2-7.0 5.2-7.0 1.4 0 3.1 0.3 4.0 0.5l-0.1 2.2c-0.9-0.1-2.6-0.3-3.5-0.3-2.1 0-2.8 0.7-2.8 4.6 0 3.7 0.5 4.6 2.8 4.6 0.9 0 2.6-0.2 3.4-0.3l0.1 2.3z"/>
<path d="m209.5 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8-3.4 0-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"/>
<path d="m221.3 217.8v4.6h-2.8v-13.6h5.3c3.1 0 4.8 1.4 4.8 4.5 0 1.9-0.8 3.1-2.0 3.9l1.9 5.2h-3.0l-1.6-4.6h-2.7zm2.5-6.7h-2.5v4.3h2.6c1.4 0 1.9-1.0 1.9-2.2 0-1.3-0.7-2.2-2.0-2.2z"/>
<path d="m231.9 208.7h2.8v13.6h-2.8v-13.6z"/>
<path d="m237.4 208.7h10.0v2.4h-3.6v11.2h-2.8v-11.2h-3.6v-2.4z"/>
<path d="m255.7 222.3h-2.8v-5.5l-4.2-8.1h3.1l2.5 5.4 2.5-5.4h3.1l-4.2 8.1v5.5z"/>
<path d="m273.4 215.1h4.0v7.1s-2.9 0.5-4.6 0.5c-4.4 0-5.6-2.5-5.6-7.0 0-5.0 1.4-7.0 5.5-7.0 2.1 0 4.7 0.6 4.7 0.6l-0.1 2.1s-2.4-0.3-4.2-0.3c-2.4 0-3.1 0.8-3.1 4.6 0 3.6 0.5 4.6 3.0 4.6 0.8 0 1.7-0.1 1.7-0.1v-2.6h-1.2v-2.4z"/>
<path d="m286 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8s-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"/>
<path d="m295.0 208.7h2.8v13.6h-2.8v-13.6z"/>
<path d="m301.8 222.3v-13.6h4.6c4.7 0 5.8 2.0 5.6 6.5 0 4.6-0.9 7.1-5.8 7.1h-4.6zm4.6-11.2h-1.8v8.8h1.8c2.7 0 2.9-1.6 2.9-4.7 0-3.0-0.3-4.1-3.0-4.1z"/>
<path d="m315.5 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.8v3.3h6.0v2.4h-8.8v-13.6z"/>
</g>
<path d="m116.0 204.9h-2.8c-1.5 0-2.8 1.2-2.8 2.7v19.2c0 1.5 1.3 2.7 2.8 2.7h27.9c1.5 0 2.8-1.2 2.8-2.7v-19.2c0-1.5-1.3-2.7-2.8-2.7h-2.8v-8.2c0-6.1-5.0-11.0-11.2-11.0-6.2 0-11.2 4.9-11.2 11.0v8.2zm5.6-8.2c0-3.0 2.5-5.5 5.6-5.4 3.1 0 5.6 2.4 5.6 5.5v8.2h-11.2v-8.2z" fill="#6D0B2B"/>
<g fill="#AD1D3F">
<path d="m106.4 214.7c-16.4 11.4-37.5 7.8-50.0-3.4l11.9-11.7c2.3-1.9 3.4-5.4 1.2-8.8-0.1-0.1-6.7-11.0 2.3-19.8 7.3-7.2 17.8-5.8 23.3-0.3 3.2 3.1 4.9 7.1 4.9 11.4v0.1c0 4.3-1.8 8.5-5.1 11.7-4.0 3.9-9.6 5.4-15.4 4.1-2.1-0.5-4.3 0.8-4.8 2.9-0.5 2.1 0.8 4.2 2.9 4.7 8.4 2.0 16.9-0.3 22.8-6.1 4.9-4.8 7.5-10.9 7.4-17.4-0.0-6.3-2.6-12.3-7.3-16.8-8.2-8.1-23.8-10.3-34.5 0.3-10.7 10.5-6.6 23.8-3.7 28.8l-12.8 12.6c-2.9 2.9-2.3 6.6-0.2 8.7 15.4 15.2 38.7 17.9 56.9 8.2l-0.0-9.1z"/>
<path d="m43.9 188.4c-1.1-7.5-1.1-21.8 11.2-33.9 8.0-7.9 18.5-12.0 29.5-11.7 10.2 0.3 20.1 4.5 27.1 11.4 7.6 7.4 11.8 17.3 11.9 27.8v0.1c1.16-0.3 2.4-0.4 3.6-0.4 1.5 0 2.9 0.2 4.3 0.6 0-0.1 0.0-0.2 0.0-0.3-0.1-12.5-5.2-24.3-14.2-33.2-8.4-8.3-20.2-13.3-32.4-13.7-13.2-0.5-25.8 4.5-35.4 14.0-9.1 8.9-14.0 20.8-14.0 33.3 0 2.4 0.2 4.8 0.5 7.2 0.6 4.0 1.8 8.1 3.7 12.2 0.9 2.0 3.2 2.8 5.2 1.9 2.0-0.9 2.9-3.1 2.0-5.1-1.5-3.3-2.6-6.8-3.1-10.1z"/>
</g>
<circle cy="218.49" cx="127.26" r="3.233" fill="#fff"/>
</svg>
</p>
</front-matter>
<rear-matter xml:lang="en-US">Red Hat and Fedora are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
<platform idref="cpe:/o:fedoraproject:fedora:21"/>
<platform idref="cpe:/o:fedoraproject:fedora:20"/>
<platform idref="cpe:/o:fedoraproject:fedora:19"/>
<version>0.0.4</version>
<model system="urn:xccdf:scoring:default"/>
<Profile id="xccdf_org.ssgproject.content_profile_common">
<title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems</title>
<description xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</description>
<select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
<select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="12"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/>
<refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="5_minutes"/>
</Profile>
<Value id="xccdf_org.ssgproject.content_value_conditional_clause" operator="equals" type="string">
<title xml:lang="en-US">A conditional clause for check statements.</title>
<description xml:lang="en-US">A conditional clause for check statements.</description>
<value>This is a placeholder.</value>
</Value>
<Group id="xccdf_org.ssgproject.content_group_intro">
<title xml:lang="en-US">Introduction</title>
<description xml:lang="en-US"><!-- purpose and scope of guidance -->
The purpose of this guidance is to provide security configuration
recommendations and baselines for the Fedora operating system.
Recommended settings for the basic operating system are provided,
as well as for many network services that the system can provide
to other systems.
<!-- audience -->The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well
as some familiarity with Fedora's documentation and administration
conventions. Some instructions within this guide are complex.
All directions should be followed completely and with understanding of
their effects in order to avoid serious adverse effects on the system
and its security.
</description>
<Group id="xccdf_org.ssgproject.content_group_general-principles">
<title xml:lang="en-US">General Principles</title>
<description xml:lang="en-US">
The following general principles motivate much of the advice in this
guide and should also influence any configuration decisions that are
not explicitly covered.
</description>
<Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">
<title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
<description xml:lang="en-US">
Data transmitted over a network, whether wired or wireless, is susceptible
to passive monitoring. Whenever practical solutions for encrypting
such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly
important. Networks of Fedora machines can and should be configured
so that no unencrypted authentication data is ever transmitted between
machines.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-minimize-software">
<title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
<description xml:lang="en-US">
The simplest way to avoid vulnerabilities in software is to avoid
installing that software. On Fedora, the RPM Package Manager (originally
Red Hat Package Manager, abbreviated RPM) allows for careful management of
the set of software packages installed on a system. Installed software
contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give
this opportunity to network-based attackers. Packages that include
programs which are predictably executed by local users (e.g. after
graphical login) may provide opportunities for trojan horses or other
attack code to be run undetected. The number of software packages
installed on a system can almost always be significantly pruned to include
only the software for which there is an environmental or operational need.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-separate-servers">
<title xml:lang="en-US">Run Different Network Services on Separate Systems</title>
<description xml:lang="en-US">
Whenever possible, a server should be dedicated to serving exactly one
network service. This limits the number of other services that can
be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools">
<title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
<description xml:lang="en-US">
Several tools exist which can be effectively used to improve a system's
resistance to and detection of unknown attacks. These tools can improve
robustness against attack at the cost of relatively little configuration
effort. In particular, this guide recommends and discusses the use of
Iptables for host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for
detection of problems.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_principle-least-privilege">
<title xml:lang="en-US">Least Privilege</title>
<description xml:lang="en-US">
Grant the least privilege necessary for user accounts and software to perform tasks.
For example, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.
</description>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_how-to-use">
<title xml:lang="en-US">How to Use This Guide</title>
<description xml:lang="en-US">
Readers should heed the following points when using the guide.
</description>
<Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely">
<title xml:lang="en-US">Read Sections Completely and in Order</title>
<description xml:lang="en-US">
Each section may build on information and recommendations discussed in
prior sections. Each section should be read and understood completely;
instructions should never be blindly applied. Relevant discussion may
occur after instructions for an action.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-test-non-production">
<title xml:lang="en-US">Test in Non-Production Environment</title>
<description xml:lang="en-US">
This guidance should always be tested in a non-production environment
before deployment. This test environment should simulate the setup in
which the system will be deployed as closely as possible.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed">
<title xml:lang="en-US">Root Shell Environment Assumed</title>
<description xml:lang="en-US">
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/bin/bash</xhtml:code> shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> whenever possible, or use
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code> to gain root privileges if <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions">
<title xml:lang="en-US">Formatting Conventions</title>
<description xml:lang="en-US">
Commands intended for shell execution, as well as configuration file text,
are featured in a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">monospace font</xhtml:code>. <i xmlns="http://www.w3.org/1999/xhtml">Italics</i> are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_intro-reboot-required">
<title xml:lang="en-US">Reboot Required</title>
<description xml:lang="en-US">
A system reboot is implicitly required after some actions in order to
complete the reconfiguration of the system. In many cases, the changes
will not take effect until a reboot is performed. In order to ensure
that changes are applied properly and to test functionality, always
reboot the system after applying a set of recommendations from this guide.
</description>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_system">
<title xml:lang="en-US">System Settings</title>
<Group id="xccdf_org.ssgproject.content_group_software">
<title xml:lang="en-US">Installing and Maintaining Software</title>
<description xml:lang="en-US">The following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.</description>
<Group id="xccdf_org.ssgproject.content_group_updating">
<title xml:lang="en-US">Updating Software</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the <b xmlns="http://www.w3.org/1999/xhtml">System</b> menu, in the <b xmlns="http://www.w3.org/1999/xhtml">Administration</b> submenu,
called <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Fedora systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Tools such as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> or the graphical <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b> ensure usage of RPM
packages for software installation. This allows for insight into the current
inventory of installed software on the system, and is highly recommended.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="false" severity="high">
<title xml:lang="en-US">gpgcheck Enabled In Main Yum Configuration</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.conf</xhtml:code> in
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[main]</xhtml:code> section:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">352</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">663</reference>
<rationale xml:lang="en-US">
Ensuring the validity of packages' cryptographic signatures prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:249" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GPG checking is not enabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To determine whether <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> is configured to use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code>,
inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.conf</xhtml:code> and ensure the following appears in the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[main]</xhtml:code> section:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre>
A value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1</xhtml:code> indicates that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> is enabled. Absence of a
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> line or a setting of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code> indicates that it is
disabled.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="false" severity="high">
<title xml:lang="en-US">gpgcheck Enabled For All Yum Package Repositories</title>
<description xml:lang="en-US">To ensure signature checking is not disabled for
any repos, remove any lines from files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</xhtml:code> of the form:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">352</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">663</reference>
<rationale xml:lang="en-US">
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:195" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GPG checking is disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To determine whether <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> has been configured to disable
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> for any repos, inspect all files in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</xhtml:code> and ensure the following does not appear in any
sections:
<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre>
A value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code> indicates that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> has been disabled for that repo.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_integrity">
<title xml:lang="en-US">Software Integrity Checking</title>
<description xml:lang="en-US">
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Integrity checking cannot <i xmlns="http://www.w3.org/1999/xhtml">prevent</i> intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
</description>
<Group id="xccdf_org.ssgproject.content_group_aide">
<title xml:lang="en-US">Verify Integrity with AIDE</title>
<description xml:lang="en-US">AIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/share/doc/aide-<i xmlns="http://www.w3.org/1999/xhtml">VERSION</i></xhtml:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="false" severity="medium">
<title xml:lang="en-US">Install AIDE</title>
<description xml:lang="en-US">
Install the AIDE package with the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo yum install aide</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1069</reference>
<reference href="test_attestation">
<dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">DS</dc:contributor>
<dc:date xmlns:dc="http://purl.org/dc/elements/1.1/">20121024</dc:date>
</reference>
<rationale xml:lang="en-US">
The AIDE package must be installed if it is to be available for integrity checking.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the package is not installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">aide</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q aide</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_disable_prelink" selected="false" severity="low">
<title xml:lang="en-US">Disable Prelinking</title>
<description xml:lang="en-US">
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/prelink</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">PRELINKING=no</pre>
Next, run the following command to return binaries to a normal, non-prelinked state:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo /usr/sbin/prelink -ua</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<rationale xml:lang="en-US">
The prelinking feature can interfere with the operation
of AIDE, because it changes binaries.
</rationale>
<fixtext reboot="1">asdasdasd</fixtext>
<fixtext>asdasdsdfasdfasd</fixtext>
<fixtext>asdfasdfsdasdasd</fixtext>
<fix system="urn:xccdf:fix:script:sh" reboot="true">#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
</fix>
<fix system="urn:xccdf:fix:script:sh">#
# Disable presdfasdfasdflinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:151" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_aide_build_database" selected="false" severity="medium">
<title xml:lang="en-US">Build and Test AIDE Database</title>
<description xml:lang="en-US">Run the following command to generate a new database:
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init</pre>
By default, the database will be written to the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/lib/aide/aide.db.new.gz</xhtml:code>.
Storing the database, the configuration file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/aide.conf</xhtml:code>, and the binary
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/sbin/aide</xhtml:code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
<pre xmlns="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
To initiate a manual check, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check</pre>
If this check produces any unexpected output, investigate.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<rationale xml:lang="en-US">
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="false" severity="medium">
<title xml:lang="en-US">Configure Periodic Execution of AIDE</title>
<description xml:lang="en-US">
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/crontab</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">05 4 * * * root /usr/sbin/aide --check</pre>
AIDE can be executed periodically through other means; this is merely one example.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">374</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">416</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1069</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1297</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1589</reference>
<rationale xml:lang="en-US">
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
</rationale>
<check system="ocil-transitional">
<check-export export-name="there is no output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To determine that periodic AIDE execution has been scheduled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep aide /etc/crontab</pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_rpm_verification">
<title xml:lang="en-US">Verify Integrity with RPM</title>
<description xml:lang="en-US">The RPM package management system includes the ability
to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the
package metadata stored in the RPM database. Although an attacker
could corrupt the RPM database (analogous to attacking the AIDE
database as described above), this check can still reveal
modification of important files. To list which files on the system differ from what is expected by the RPM database:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qVa</pre>
See the man page for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpm</xhtml:code> to see a complete explanation of each column.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="false" severity="low">
<title xml:lang="en-US">Verify and Correct File Permissions with RPM</title>
<description xml:lang="en-US">
The RPM package management system can check file access
permissions of installed software packages, including many that are
important to system security.
After locating a file with incorrect permissions, run the following command to determine which package owns it:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre>
Next, run the following command to reset its permissions to
the correct values:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm --setperms <i>PACKAGENAME</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1494</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1495</reference>
<rationale xml:lang="en-US">
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.</rationale>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The following command will list which files on the system have permissions different from what
is expected by the RPM database:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^.M'</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="false" severity="low">
<title xml:lang="en-US">Verify File Hashes with RPM</title>
<description xml:lang="en-US">The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^..5'</pre>
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre>
The package can be reinstalled from a yum repository using the command:
<pre xmlns="http://www.w3.org/1999/xhtml">yum reinstall <i>PACKAGENAME</i></pre>
Alternatively, the package can be reinstalled from trusted media using the command:
<pre xmlns="http://www.w3.org/1999/xhtml">rpm -Uvh <i>PACKAGENAME</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1496</reference>
<rationale xml:lang="en-US">
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.</rationale>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content> The following command will list which files on the system
have file hashes different from what is expected by the RPM database.
<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'</pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_additional_security_software">
<title xml:lang="en-US">Additional Security Software</title>
<description xml:lang="en-US">
Additional security software that is not provided or supported
by Red Hat can be installed to provide complementary or duplicative
security capabilities to those provided by the base platform. Add-on
software may not be appropriate for some specialized systems.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_install_hids" selected="false" severity="high">
<title xml:lang="en-US">Install Intrusion Detection Software</title>
<description xml:lang="en-US">
The Red Hat platform includes a sophisticated auditing system
and SELinux, which provide host-based intrusion detection capabilities.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1263</reference>
<rationale xml:lang="en-US">
Host-based intrusion detection tools provide a system-level defense when an
intruder gains access to a system or network.
</rationale>
<check system="ocil-transitional">
<check-export export-name="no host-based intrusion detection tools are installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect the system to determine if intrusion detection software has been installed.
Verify this intrusion detection software is active.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_install_antivirus" selected="false" severity="low">
<title xml:lang="en-US">Install Virus Scanning Software</title>
<description xml:lang="en-US">
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem.
The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.
Ensure virus definition files are no older than 7 days, or their last release.
<!-- need info here on where DoD admins can go to get this -->
Configure the virus scanning software to perform scans dynamically on all
accessed files. If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.
<!-- what's the basis for the IAO language? would not failure of a check
imply a discussion, for every check in this document,
with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your
particular neighborhood) should occur? -->
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-3</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1239</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</reference>
<rationale xml:lang="en-US">
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:188" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect the system for a cron job or system service which executes
a virus scanning tool regularly.
<br xmlns="http://www.w3.org/1999/xhtml"/>
<!-- this should be handled as DoD-specific text in a future revision -->
To verify the McAfee VSEL system service is operational,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># /etc/init.d/nails status</pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
To check on the age of uvscan virus definition files, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># cd /opt/NAI/LinuxShield/engine/dat
# ls -la avvscan.dat avvnames.dat avvclean.dat</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_permissions">
<title xml:lang="en-US">File Permissions and Masks</title>
<description xml:lang="en-US">Traditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
</description>
<Group id="xccdf_org.ssgproject.content_group_mounting">
<title xml:lang="en-US">Restrict Dynamic Mounting and Unmounting of
Filesystems</title>
<description xml:lang="en-US">Linux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
<pre xmlns="http://www.w3.org/1999/xhtml">$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</pre>
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Modprobe Loading of USB Storage Driver</title>
<description xml:lang="en-US">
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">usb-storage</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install usb-storage /bin/false</xhtml:pre>
This will prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">modprobe</xhtml:code> program from loading the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">usb-storage</xhtml:code>
module, but will not prevent an administrator (or another program) from using the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insmod</xhtml:code> program to load the module manually.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</reference>
<rationale xml:lang="en-US">USB storage devices such as thumb drives can be used to introduce
malicious software.</rationale>
<check system="ocil-transitional">
<check-export export-name="no line is returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
If the system is configured to prevent the loading of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">usb-storage</xhtml:code> kernel module,
it will contain lines inside any file in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code> or the deprecated<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.conf</xhtml:code>.
These lines instruct the module loading system to run another program (such as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/bin/false</xhtml:code>) upon a module <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install</xhtml:code> event.
Run the following command to search for such lines in all files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>
and the deprecated <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bootloader_nousb_argument" selected="false" severity="low">
<title xml:lang="en-US">Disable Kernel Support for USB via Bootloader Configuration</title>
<description xml:lang="en-US">
All USB support can be disabled by adding the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nousb</xhtml:code>
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.conf</xhtml:code> as shown:
<pre xmlns="http://www.w3.org/1999/xhtml">kernel /vmlinuz-<i>VERSION</i> ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</pre>
<i xmlns="http://www.w3.org/1999/xhtml"><b>WARNING:</b> Disabling all kernel support for USB will cause problems for
systems with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.</i></description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<rationale xml:lang="en-US">Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" selected="false" severity="low">
<title xml:lang="en-US">Disable Booting from USB Devices in Boot Firmware</title>
<description xml:lang="en-US">Configure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<rationale xml:lang="en-US">Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bios_assign_password" selected="false" severity="low">
<title xml:lang="en-US">Assign Password to Prevent Changes to Boot Firmware Configuration</title>
<description xml:lang="en-US">Assign a password to the system boot firmware (historically called BIOS on PC
systems) to require a password for any configuration changes.
</description>
<rationale xml:lang="en-US">Assigning a password to the system boot firmware prevents anyone
with physical access from configuring the system to boot
from local media and circumvent the operating system's access controls.
For systems in physically secure locations, such as
a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed
against the risk of administrative personnel being unable to conduct recovery operations in
a timely fashion.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable the Automounter</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/misc/cd</xhtml:code>.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>
rather than relying on the automounter.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable autofs.service</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1250</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</reference>
<rationale xml:lang="en-US">Disabling the automounter permits the administrator to
statically control filesystem mounting through <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>autofs</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>autofs</xhtml:code> --list
<xhtml:code>autofs</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service autofs status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">autofs is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" selected="false" severity="low">
<title xml:lang="en-US">Disable GNOME3 Automounting</title>
<description xml:lang="en-US">The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount</xhtml:code>, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount-open</xhtml:code>, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autorun-never</xhtml:code> settings must be set
under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(d)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-19(e)</reference>
<rationale xml:lang="en-US">Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:217" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GNOME automounting is not disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
These settings can be verified by running the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.media-handling automount
$ gsettings get org.gnome.desktop.media-handling automount-open
$ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">false</xhtml:code>.
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount-open</xhtml:code>should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">false</xhtml:code>.
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autorun-never</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot enable automount and autorun in GNOME3, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/media-handling/automount</xhtml:code>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">automount-open</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/media-handling/auto-open</xhtml:code>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autorun-never</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/media-handling/autorun-never</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of cramfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">cramfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install cramfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of freevxfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">freevxfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install freevxfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of jffs2</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">jffs2</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install jffs2 /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of hfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install hfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of hfsplus</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hfsplus</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install hfsplus /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of squashfs</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">squashfs</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install squashfs /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Mounting of udf</title>
<description xml:lang="en-US">
To configure the system to prevent the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">udf</xhtml:code>
kernel module from being loaded, add the following line to a file in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">install udf /bin/false</xhtml:pre>
This effectively prevents usage of this uncommon filesystem.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" selected="false" severity="low">
<title xml:lang="en-US">Disable All GNOME3 Thumbnailers</title>
<description xml:lang="en-US">The system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disable-all</xhtml:code> setting must be set
under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem
(via a web upload for example) and assuming a user browses the same location using Nautilus, the
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:255" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="GNOME automounting is not disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
These settings can be verified by running the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.thumbnailers disable-all</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot how long until the the screensaver locks, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep disable-all /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/thumbnailers/disable-all</xhtml:code>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs">
<title xml:lang="en-US">Verify File Permissions Within Some Important Directories</title>
<description xml:lang="en-US">Some directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time,
particularly if unpackaged software is installed. As such, an argument exists
to verify that files' permissions within these directories remain configured
correctly and restrictively.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="false" severity="medium">
<title xml:lang="en-US">Shared Library Files Have Restrictive Permissions</title>
<description xml:lang="en-US">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are stored in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/lib/modules</xhtml:code>. All files in these directories should not be
group-writable or world-writable. If any file in these directories is found to
be group-writable or world-writable, correct its permission with the following
command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the
system.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:240" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="false" severity="medium">
<title xml:lang="en-US">Shared Library Files Have Root Ownership</title>
<description xml:lang="en-US">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are also
stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/lib/modules</xhtml:code>. All files in these directories should be owned
by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user. If the directory, or any file in these directories,
is found to be owned by a user other than root correct its ownership with the
following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:148" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="false" severity="medium">
<title xml:lang="en-US">System Executables Have Restrictive Permissions</title>
<description xml:lang="en-US">
System executables are stored in the following directories by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</pre>
All files in these directories should not be group-writable or world-writable.
If any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found to be group-writable or
world-writable, correct its permission with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">System binaries are executed by privileged users, as well as system
services, and restrictive permissions are necessary to ensure execution of
these programs cannot be co-opted.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:233" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="false" severity="medium">
<title xml:lang="en-US">System Executables Have Root Ownership</title>
<description xml:lang="en-US">
System executables are stored in the following directories by default:
<pre xmlns="http://www.w3.org/1999/xhtml">/bin
/usr/bin
/usr/local/bin
/sbin
/usr/sbin
/usr/local/sbin</pre>
All files in these directories should be owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user. If
any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found to be owned by a user other
than root, correct its ownership with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
<rationale xml:lang="en-US">System binaries are executed by privileged users as well as system
services, and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:138" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_restrictions">
<title xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title>
<description xml:lang="en-US">The recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs.</description>
<Group id="xccdf_org.ssgproject.content_group_daemon_umask">
<title xml:lang="en-US">Daemon Umask</title>
<description xml:lang="en-US">The umask is a per-process setting which limits
the default permissions for creation of new files and directories.
The system includes initialization scripts which set the default umask
for system daemons.
</description>
<Value id="xccdf_org.ssgproject.content_value_var_umask_for_daemons" operator="equals" type="string">
<title xml:lang="en-US">daemon umask</title>
<description xml:lang="en-US">Enter umask for daemons</description>
<value>022</value>
<value selector="022">022</value>
<value selector="027">027</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_umask_for_daemons" selected="false" severity="low">
<title xml:lang="en-US">Set Daemon Umask</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init.d/functions</xhtml:code> includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
<i xmlns="http://www.w3.org/1999/xhtml">UMASK</i> appropriately:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <i>UMASK</i></pre>
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<rationale xml:lang="en-US">The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the value of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code>, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep umask /etc/init.d/functions</pre>
The output should show either <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">022</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">027</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_coredumps">
<title xml:lang="en-US">Disable Core Dumps</title>
<description xml:lang="en-US">A core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Once a hard limit is set in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</xhtml:code>, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">limits.conf</xhtml:code> man page for more
information.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The core dumps of setuid programs are further protected. The
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code> variable <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fs.suid_dumpable</xhtml:code> controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.</description>
<Rule id="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="false" severity="low">
<title xml:lang="en-US">Disable Core Dumps for All Users</title>
<description xml:lang="en-US">To disable core dumps for all users, add the following line to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard core 0</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-5</reference>
<rationale xml:lang="en-US">A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.</rationale>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that core dumps are disabled for all users, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep core /etc/security/limits.conf</pre>
The output should be:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard core 0</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="false" severity="low">
<title xml:lang="en-US">Disable Core Dumps for SUID programs</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fs.suid_dumpable</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w fs.suid_dumpable=0</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">fs.suid_dumpable = 0</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-11</reference>
<rationale xml:lang="en-US">The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data.</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fs.suid_dumpable</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl fs.suid_dumpable</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_enable_execshield_settings">
<title xml:lang="en-US">Enable ExecShield</title>
<description xml:lang="en-US">ExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code> variables
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.exec-shield</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</xhtml:code>. On the latest
64-bit systems, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.exec-shield</xhtml:code> cannot be enabled or disabled with
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code>.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="false" severity="medium">
<title xml:lang="en-US">Enable ExecShield</title>
<description xml:lang="en-US">By default on Fedora 64-bit systems, ExecShield is enabled and can
only be disabled if the hardware does not support ExecShield or is disabled in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/default/grub</xhtml:code>. For Fedora 32-bit systems, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sysctl</xhtml:code> can be
used to enable ExecShield.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range. This is enabled by default on the latest Red Hat and Fedora
systems if supported by the hardware.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:175" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration." value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify ExecShield is enabled on 64-bit Fedora systems, run the following
command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ dmesg | grep '[NX|DX]*protection'</pre>
The output should not contain <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">'disabled by kernel command line option'</xhtml:code>.
To verify that ExecShield has not been disabled in the kernel configuration,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo grep noexec /boot/grub2/grub.cfg</pre>
The output should not return <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">noexec=off</xhtml:code>.
For 32-bit Fedora systems, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sysctl kernel.exec-shield</pre>
The output should be:
<pre xmlns="http://www.w3.org/1999/xhtml">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.exec-shield</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w kernel.exec-shield=1</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.exec-shield = 1</xhtml:pre></pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="false" severity="medium">
<title xml:lang="en-US">Enable Randomized Layout of Virtual Address Space</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w kernel.randomize_va_space=2</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.randomize_va_space = 2</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US"> Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation. Additionally, ASLR
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl kernel.randomize_va_space</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">2</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_enable_nx">
<title xml:lang="en-US">Enable Execute Disable (XD) or No Execute (NX) Support on
x86 Systems</title>
<description xml:lang="en-US">Recent processors in the x86 family support the
ability to prevent code execution on a per memory page basis.
Generically and on AMD processors, this ability is called No
Execute (NX), while on Intel processors it is called Execute
Disable (XD). This ability can help prevent exploitation of buffer
overflow vulnerabilities and should be activated whenever possible.
Extra steps must be taken to ensure that this protection is
enabled, particularly on 32-bit x86 systems. Other processors, such
as Itanium and POWER, have included such support since inception
and the standard kernel for those platforms supports the
feature. This is enabled by default on the latest Red Hat and
Fedora systems if supported by the hardware.</description>
<Rule id="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" selected="false" severity="low">
<title xml:lang="en-US">Install PAE Kernel on Supported 32-bit x86 Systems</title>
<description xml:lang="en-US">Systems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo yum install kernel-PAE</pre>
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this at reboot
and modify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/default/grub</xhtml:code> if necessary.</description>
<warning xml:lang="en-US" override="false" category="hardware">The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
this may prevent them from booting.</warning>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">On 32-bit systems that support the XD or NX bit, the vendor-supplied
PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions" selected="false" severity="low">
<title xml:lang="en-US">Enable NX or XD Support in the BIOS</title>
<description xml:lang="en-US">Reboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.</rationale>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_enable_dmesg_restriction" selected="false" severity="low">
<title xml:lang="en-US">Restrict Access to Kernel Message Buffer</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.dmesg_restrict</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w kernel.dmesg_restrict=1</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.dmesg_restrict = 1</xhtml:pre>
</description>
<rationale xml:lang="en-US">Unprivileged access to the kernel syslog can expose sensitive kernel
address information.</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">kernel.dmesg_restrict</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl kernel.dmesg_restrict</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts">
<title xml:lang="en-US">Account and Access Control</title>
<description xml:lang="en-US">In traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under Fedora.
</description>
<Group id="xccdf_org.ssgproject.content_group_accounts-restrictions">
<title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
<description xml:lang="en-US">Conventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> and
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.</description>
<Group id="xccdf_org.ssgproject.content_group_root_logins">
<title xml:lang="en-US">Restrict Root Logins</title>
<description xml:lang="en-US">
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login</xhtml:code> program
uses the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> to determine which interfaces
should allow root logins.
The virtual devices <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/console</xhtml:code>
and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/tty*</xhtml:code> represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/vc/*</xhtml:code>.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Furthermore, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/hvc*</xhtml:code> represent virtio-serial
consoles, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/hvsi*</xhtml:code> IBM pSeries serial consoles, and finally
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/xvc0</xhtml:code> Xen virtual console. Root should also be prohibited
from connecting via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="false" severity="medium">
<title xml:lang="en-US">Direct root Logins Not Allowed</title>
<description xml:lang="en-US">To further limit access to the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> account, administrators
can disable root logins at the console by editing the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to his machine as root via Telnet, which sends the password in
plain text over the network. By default, Fedora's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> file
only allows the root user to login at the console physically attached to the
machine. To prevent root from logging in, remove the contents of this file.
To prevent direct root logins, remove the contents of this file by typing the
following command:
<pre xmlns="http://www.w3.org/1999/xhtml">
echo > /etc/securetty
</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<rationale xml:lang="en-US">
Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This scenario is nowadays required
by security standards.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the /etc/securetty file is not empty" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure root may not directly login to the system over physical consoles,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">cat /etc/securetty</pre>
If any output is returned, this is a finding.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="false" severity="medium">
<title xml:lang="en-US">Virtual Console Root Logins Restricted</title>
<description xml:lang="en-US">
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">vc/1
vc/2
vc/3
vc/4</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
<rationale xml:lang="en-US">
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:281" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="root login over virtual console devices is permitted" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check for virtual console entries which permit root login, run the
following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^vc/[0-9] /etc/securetty</pre>
If any output is returned, then root logins over virtual console devices is permitted.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="false" severity="low">
<title xml:lang="en-US">Serial Port Root Logins Restricted</title>
<description xml:lang="en-US">To restrict root logins on serial ports,
ensure lines of this form do not appear in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">ttyS0
ttyS1</pre>
<!-- TODO: discussion/description of serial port -->
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
<rationale xml:lang="en-US">
Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:245" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="root login over serial ports is permitted" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check for serial port entries which permit root login,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^ttyS/[0-9] /etc/securetty</pre>
If any output is returned, then root login over serial ports is permitted.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_root_webbrowsing" selected="false" severity="low">
<title xml:lang="en-US">Web Browser Use for Administrative Accounts Restricted</title>
<description xml:lang="en-US">
Enforce policy requiring administrative accounts use web browsers only for
local service administration.
</description>
<rationale xml:lang="en-US">
If a browser vulnerability is exploited while running with administrative privileges,
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.
</rationale>
<check system="ocil-transitional">
<check-export export-name="this is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Check the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> home directory for a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.mozilla</xhtml:code> directory. If
one exists, ensure browsing is limited to local service administration.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="false" severity="medium">
<title xml:lang="en-US">System Accounts Do Not Run a Shell Upon Login</title>
<description xml:lang="en-US">
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The login shell for each local account is stored in the last field of each line
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>. System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account <i xmlns="http://www.w3.org/1999/xhtml">SYSACCT</i> (other than root) has a login shell,
disable it with the command:
<pre xmlns="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin <i>SYSACCT</i></pre>
</description>
<warning xml:lang="en-US" override="false" category="functionality">
Do not perform the steps in this
section on the root account. Doing so might cause the system to
become inaccessible.
</warning>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">178</reference>
<rationale xml:lang="en-US">
Ensuring shells are not given to system accounts upon login
makes it more difficult for attackers to make use of
system accounts.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:207" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any system account (other than root) has a login shell" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To obtain a listing of all users,
their UIDs, and their shells, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre>
Identify the system accounts from this listing. These will
primarily be the accounts with UID numbers less than 500, other
than root.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" selected="false" severity="medium">
<title xml:lang="en-US">Only Root Has UID 0</title>
<description xml:lang="en-US">
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:276" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any account other than root has a UID of 0" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To list all password file entries for accounts with UID 0, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd</pre>
This should print only one line, for the user root.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_root_path_default" selected="false" severity="low">
<title xml:lang="en-US">Root Path Is Vendor Default</title>
<description xml:lang="en-US">
Assuming root shell is bash, edit the following files:
<pre xmlns="http://www.w3.org/1999/xhtml">~/.profile</pre>
<pre xmlns="http://www.w3.org/1999/xhtml">~/.bashrc</pre>
Change any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> variables to the vendor default for root and remove any
empty <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> entries or references to relative paths.
</description>
<rationale xml:lang="en-US">
The root account's executable search path must be the vendor default, and must
contain only absolute paths.
</rationale>
<check system="ocil-transitional">
<check-export export-name="any of these conditions are not met" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To view the root user's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code>, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># env | grep PATH</pre>
If correctly configured, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> must: use vendor default settings,
have no empty entries, and have no entries beginning with a character
other than a slash (/).
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_password_storage">
<title xml:lang="en-US">Proper Storage and Existence of Password Hashes</title>
<description xml:lang="en-US">
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code>. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="false" severity="high">
<title xml:lang="en-US">Log In to Accounts With Empty Password Impossible</title>
<description xml:lang="en-US">If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nullok</xhtml:code>
option in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> to
prevent logins with empty passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<rationale xml:lang="en-US">
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational
environments.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:127" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="NULL passwords can be used" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that null passwords cannot be used, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep nullok /etc/pam.d/system-auth</pre>
If this produces any output, it may be possible to log into accounts
with empty passwords.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" selected="false" severity="medium">
<title xml:lang="en-US">Password Hashes For Each Account Shadowed</title>
<description xml:lang="en-US">
If any password hashes are stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> (in the second field,
instead of an <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">x</xhtml:code>), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">201</reference>
<rationale xml:lang="en-US">
The hashes for all user account passwords should be stored in
the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> and never in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>,
which is readable by all users.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:267" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any stored hashes are found in /etc/passwd" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that no password hashes are stored in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd</pre>
If it produces any output, then a password hash is
stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="false" severity="low">
<title xml:lang="en-US">All GIDs referenced in /etc/passwd Defined in /etc/group</title>
<description xml:lang="en-US">
Add a group to the system for each GID referenced without a corresponding group.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">
Inconsistency in GIDs between <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/group</xhtml:code> could lead to a user having unintended rights.
</rationale>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure all GIDs referenced in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> are defined in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/group</xhtml:code>,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># pwck -qr</pre>
There should be no output.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="false" severity="medium">
<title xml:lang="en-US">netrc Files Do Not Exist</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files should be removed.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</reference>
<rationale xml:lang="en-US">
Unencrypted passwords for remote FTP servers may be stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code>
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:200" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="any .netrc files exist" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the system for the existence of any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># find /home -xdev -name .netrc</pre>
<!-- needs fixup to limit search to home dirs -->
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_password_expiration">
<title xml:lang="en-US">Set Password Expiration Parameters</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> controls several
password-related settings. Programs such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">passwd</xhtml:code>,
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code>, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login</xhtml:code> consult <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login.defs(5)</xhtml:code> for more information.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS</xhtml:code> and apply it to existing accounts with the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-M</xhtml:code> flag.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS</xhtml:code> (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-m</xhtml:code>) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_WARN_AGE</xhtml:code> (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-W</xhtml:code>) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
For example, for each existing human user <i xmlns="http://www.w3.org/1999/xhtml">USER</i>, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER</pre>
</description>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" type="number">
<title xml:lang="en-US">minimum password length</title>
<description xml:lang="en-US">Minimum number of characters in password</description>
<warning xml:lang="en-US" override="false" category="general">This will only check new passwords</warning>
<value>12</value>
<value selector="6">6</value>
<value selector="8">8</value>
<value selector="10">10</value>
<value selector="12">12</value>
<value selector="14">14</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" type="number">
<title xml:lang="en-US">maximum password age</title>
<description xml:lang="en-US">Maximum age of password in days</description>
<warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
<value>60</value>
<value selector="60">60</value>
<value selector="90">90</value>
<value selector="120">120</value>
<value selector="180">180</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" type="number">
<title xml:lang="en-US">minimum password age</title>
<description xml:lang="en-US">Minimum age of password in days</description>
<warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
<value>7</value>
<value selector="7">7</value>
<value selector="5">5</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" type="number">
<title xml:lang="en-US">warning days before password expires</title>
<description xml:lang="en-US">The number of days' warning given before a password expires.</description>
<warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
<value>7</value>
<value selector="0">0</value>
<value selector="7">7</value>
<value selector="14">14</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="false" severity="medium">
<title xml:lang="en-US">Password Minimum Length</title>
<description xml:lang="en-US">To specify password length requirements for new accounts,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN <b>LENGTH</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
Nowadays recommended values, considered as secure by various organizations
focused on topic of computer security, range from <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">12 (FISMA)</xhtml:code> up to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">14 (DoD)</xhtml:code> characters for password length requirements.
If a program consults <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> and also another PAM module
(such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib</xhtml:code>) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">205</reference>
<rationale xml:lang="en-US">
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or
counterproductive behavior that may result.
</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_password_minlen_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>"
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:475" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs"/>
<check-content-ref name="oval:ssg:def:251" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the minimum password length, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_LEN /etc/login.defs</pre>
Passwords of length <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">12</xhtml:code> characters and more are nowadays
considered to be a standard requirement.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="false" severity="medium">
<title xml:lang="en-US">Password Minimum Age</title>
<description xml:lang="en-US">To specify password minimum age for new accounts,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <b>DAYS</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
A value greater than 1 day is considered to be sufficient for many environments.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">198</reference>
<rationale xml:lang="en-US">
Setting the minimum password age protects against users cycling
back to a favorite password after satisfying the password reuse
requirement.
</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_minimum_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/>"
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:477" value-id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs"/>
<check-content-ref name="oval:ssg:def:283" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the minimum password age, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_DAYS /etc/login.defs</pre>
A value greater than 1 day is considered to be sufficient for many environments.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="false" severity="medium">
<title xml:lang="en-US">Password Maximum Age</title>
<description xml:lang="en-US">To specify password maximum age for new accounts,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <b>DAYS</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
A value less than 180 days is sufficient for many environments.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(g)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">180</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">199</reference>
<rationale xml:lang="en-US">
Setting the password maximum age ensures users are required to
periodically change their passwords. This could possibly decrease
the utility of a stolen password. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_maximum_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/>"
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:464" value-id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs"/>
<check-content-ref name="oval:ssg:def:136" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the maximum password age, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MAX_DAYS /etc/login.defs</pre>
A value less than 180 days is sufficient for many environments.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="false" severity="low">
<title xml:lang="en-US">Password Warning Age</title>
<description xml:lang="en-US">To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <b>DAYS</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></b></pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
A value of 7 days would be nowadays considered to be a standard.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<rationale xml:lang="en-US">
Setting the password warning age enables users to make the change
at a practical time.
</rationale>
<fix system="urn:xccdf:fix:script:sh">var_accounts_password_warn_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>"
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:472" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs"/>
<check-content-ref name="oval:ssg:def:231" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the password warning age, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_WARN_AGE /etc/login.defs</pre>
A value of 7 days would be nowadays considered to be a standard.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-session">
<title xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title>
<description xml:lang="en-US">When a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators.</description>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" operator="equals" type="number">
<title xml:lang="en-US">Maximum concurrent login sessions</title>
<description xml:lang="en-US">Maximum number of concurrent sessions by a user</description>
<value>1</value>
<value selector="1">1</value>
<value selector="3">3</value>
<value selector="5">5</value>
<value selector="10">10</value>
<value selector="15">15</value>
<value selector="20">20</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="false" severity="low">
<title xml:lang="en-US">Limit the Number of Concurrent Login Sessions Allowed Per User</title>
<description xml:lang="en-US">
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent
sessions per user add the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard maxlogins <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-10</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">54</reference>
<rationale xml:lang="en-US">Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it is not similar" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to ensure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxlogins</xhtml:code> value is configured for all users
on the system:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "maxlogins" /etc/security/limits.conf</pre>
You should receive output similar to the following:
<pre xmlns="http://www.w3.org/1999/xhtml">* hard maxlogins 10</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_root_paths">
<title xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title>
<description xml:lang="en-US">The active path of the root account can be obtained by
starting a new root shell and running:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo echo $PATH</pre>
This will produce a colon-separated list of
directories in the path.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Certain path elements could be considered dangerous, as they could lead
to root executing unknown or
untrusted programs, which could contain malicious
code.
Since root may sometimes work inside
untrusted directories, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.</xhtml:code> character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
It is a good practice for administrators to always execute
privileged commands by typing the full path to the
command.</description>
<Rule id="xccdf_org.ssgproject.content_rule_root_path_no_dot" selected="false" severity="low">
<title xml:lang="en-US">Ensure that Root's Path Does Not Include Relative Paths or Null Directories</title>
<description xml:lang="en-US">
Ensure that none of the directories in root's path is equal to a single
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.</xhtml:code> character, or
that it contains any instances that lead to relative path traversal, such as
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">..</xhtml:code> or beginning a path without the slash (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/</xhtml:code>) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
<pre xmlns="http://www.w3.org/1999/xhtml">PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin</pre>
These empty elements have the same effect as a single <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.</xhtml:code> character.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">
Including these entries increases the risk that root could
execute code from an untrusted location.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable" selected="false" severity="low">
<title xml:lang="en-US">Ensure that Root's Path Does Not Include World or Group-Writable Directories</title>
<description xml:lang="en-US">
For each element in root's path, run:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld <i>DIR</i></pre>
and ensure that write permissions are disabled for group and
other.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">
Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:274" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="group or other write permissions exist" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure write permissions are disabled for group and other
for each element in root's path, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld <i>DIR</i></pre>
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_homedir_perms_no_groupwrite_worldread" selected="false" severity="low">
<title xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
<description xml:lang="en-US">For each human user of the system, view the
permissions of the user's home directory:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld /home/<i>USER</i></pre>
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo chmod g-w /home/<i>USER</i>
$ sudo chmod o-rwx /home/<i>USER</i></pre>
</description>
<warning xml:lang="en-US" override="false" category="general">This action may involve
modifying user home directories. Notify your user community, and
solicit input if appropriate, before making this type of
change.</warning>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<rationale xml:lang="en-US">
User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have
write permission to another user's home directory. Group shared
directories can be configured in sub-directories or elsewhere in the
filesystem if they are needed. Typically, user home directories
should not be world-readable, as it would disclose file names
to other users. If a subset of users need read access
to one another's home directories, this can be provided using
groups or ACLs.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:155" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the user home directory is group-writable or world-readable" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the user home directory is not group-writable or world-readable, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -ld /home/<i>USER</i></pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_user_umask">
<title xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title>
<description xml:lang="en-US">
The umask setting controls the default permissions
for the creation of new files.
With a default <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
<!--In addition, it may be necessary to change root's <tt>umask</tt>
temporarily in order to install software or files which must be
readable by other users, or to change the default umasks of certain
service accounts such as the FTP user. However, setting a
restrictive default protects the files of users who have not taken
steps to make their files more available, and preventing files from
being inadvertently shared.-->
</description>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_user_umask" operator="equals" type="string">
<title xml:lang="en-US">Sensible umask</title>
<description xml:lang="en-US">Enter default user umask</description>
<value>027</value>
<value selector="007">007</value>
<value selector="022">022</value>
<value selector="027">027</value>
<value selector="077">077</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_bashrc" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default Bash Umask is Set Correctly</title>
<description xml:lang="en-US">
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/bashrc</xhtml:code> to read
as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/bashrc</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/bashrc</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/bashrc
umask 077
umask 077</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_cshrc" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default C Shell Umask is Set Correctly</title>
<description xml:lang="en-US">
To ensure the default umask for users of the C shell is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/csh.cshrc</xhtml:code> to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/csh.cshrc</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/csh.cshrc</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown in the below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/csh.cshrc
umask 077</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default Umask is Set Correctly in /etc/profile</title>
<description xml:lang="en-US">
To ensure the default umask controlled by <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/profile</xhtml:code> is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/profile</xhtml:code> to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">umask <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/profile</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/profile</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown in the below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep "umask" /etc/profile
umask 077</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_umask_login_defs" selected="false" severity="low">
<title xml:lang="en-US">Ensure the Default Umask is Set Correctly in login.defs</title>
<description xml:lang="en-US">
To ensure the default umask controlled by <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> is set properly,
add or correct the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">UMASK</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">UMASK <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the above command returns no output, or if the umask is configured incorrectly" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">UMASK</xhtml:code> setting is configured correctly in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> file by
running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep -i "UMASK" /etc/login.defs</pre>
All output must show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">umask</xhtml:code> set to 077, as shown in the below:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep -i "UMASK" /etc/login.defs
umask 077</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-pam">
<title xml:lang="en-US">Protect Accounts by Configuring PAM</title>
<description xml:lang="en-US">PAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
PAM looks in the directory <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d</xhtml:code> for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/login</xhtml:code>
to determine what actions should be taken.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
One very important file in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d</xhtml:code> is
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.</description>
<warning xml:lang="en-US" override="false" category="general">Be careful when making changes to PAM's
configuration files. The syntax for these files is complex, and
modifications can have unexpected consequences. The default
configurations shipped with applications should be sufficient for
most users.</warning>
<warning xml:lang="en-US" override="false" category="general">Running <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">authconfig</xhtml:code> or
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">system-config-authentication</xhtml:code> will re-write the PAM configuration
files, destroying any manually made changes and replacing them with
a series of system defaults. One reference to the configuration
file syntax can be found at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html.</warning>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" operator="equals" type="number">
<title xml:lang="en-US">remember</title>
<description xml:lang="en-US">The last n passwords for each user are saved in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/opasswd</xhtml:code> in order to force password change history and
keep the user from alternating between the same password too
frequently.</description>
<value>24</value>
<value selector="0">0</value>
<value selector="5">5</value>
<value selector="10">10</value>
<value selector="24">24</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="false" severity="low">
<title xml:lang="en-US">Set Last Logon/Access Notification</title>
<description xml:lang="en-US">To configure the system to notify users of last logon/access
using <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_lastlog</xhtml:code>, add the following line immediately after <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">session required pam_limits.so</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">session required pam_lastlog.so showfailed</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">53</reference>
<rationale xml:lang="en-US">
Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</rationale>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure that last logon/access notification is configured correctly, run
the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_lastlog.so /etc/pam.d/system-auth</pre>
The output should show output <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">showfailed</xhtml:code>.
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_password_quality">
<title xml:lang="en-US">Set Password Quality Requirements</title>
<description xml:lang="en-US">The default <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> module is the preferred way of configuring
password requirements.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib</xhtml:code> PAM module can also provide strength
checking for passwords as the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> module.
It performs a number of checks, such as making sure passwords are
not similar to dictionary words, are of at least a certain length,
are not the previous password reversed, and are not simply a change
of case from the previous password. It can also require passwords to
be in certain character classes.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_passwdqc</xhtml:code> PAM module also provides the ability to enforce
stringent password strength requirements. It is provided
in an RPM of the same name and can be configured by setting the configuration
settings in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwdqc.conf</xhtml:code>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The man pages <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib(8)</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_passwdqc(8)</xhtml:code>
provide information on the capabilities and configuration of
each.</description>
<Group id="xccdf_org.ssgproject.content_group_password_quality_pwquality">
<title xml:lang="en-US">Set Password Quality Requirements with pam_pwquality</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> PAM module can be configured to meet
requirements for a variety of policies.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
For example, to configure <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> to require at least one uppercase
character, lowercase character, digit, and other (special)
character, make sure that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality</xhtml:code> exists in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=</pre>
If no such line exists, add one as the first line of the password section in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>.
Next, modify the settings in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to match the following:
<pre xmlns="http://www.w3.org/1999/xhtml">difok = 4
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3</pre>
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
</description>
<warning xml:lang="en-US" override="false" category="general">Note that the password quality
requirements are not enforced for the root account for some
reason.</warning>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_retry" operator="equals" type="number">
<title xml:lang="en-US">retry</title>
<description xml:lang="en-US">Number of retry attempts before erroring out</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" operator="equals" type="number">
<title xml:lang="en-US">maxrepeat</title>
<description xml:lang="en-US">Maximum Number of Consecutive Repeating Characters in a Password</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_minlen" operator="equals" type="number">
<title xml:lang="en-US">minlen</title>
<description xml:lang="en-US">Minimum number of characters in password</description>
<value>14</value>
<value selector="6">6</value>
<value selector="8">8</value>
<value selector="10">10</value>
<value selector="12">12</value>
<value selector="14">14</value>
<value selector="15">15</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" operator="equals" type="number">
<title xml:lang="en-US">dcredit</title>
<description xml:lang="en-US">Minimum number of digits in password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" operator="equals" type="number">
<title xml:lang="en-US">ocredit</title>
<description xml:lang="en-US">Minimum number of other (special characters) in
password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" operator="equals" type="number">
<title xml:lang="en-US">lcredit</title>
<description xml:lang="en-US">Minimum number of lower case in password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" operator="equals" type="number">
<title xml:lang="en-US">ucredit</title>
<description xml:lang="en-US">Minimum number of upper case in password</description>
<value>-1</value>
<value selector="2">-2</value>
<value selector="1">-1</value>
<value selector="0">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_difok" operator="equals" type="number">
<title xml:lang="en-US">difok</title>
<description xml:lang="en-US">Minimum number of characters not present in old
password</description>
<warning xml:lang="en-US" override="false" category="general">Keep this high for short
passwords</warning>
<value>4</value>
<value selector="2">2</value>
<value selector="3">3</value>
<value selector="4">4</value>
<value selector="5">5</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_password_pam_minclass" operator="equals" type="number">
<title xml:lang="en-US">minclass</title>
<description xml:lang="en-US">Minimum number of categories of characters that must exist in a password</description>
<value>3</value>
<value selector="1">1</value>
<value selector="2">2</value>
<value selector="3">3</value>
<value selector="4">4</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" operator="equals" type="number">
<title xml:lang="en-US">fail_deny</title>
<description xml:lang="en-US">Number of failed login attempts before account lockout</description>
<value>3</value>
<value selector="3">3</value>
<value selector="5">5</value>
<value selector="10">10</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" operator="equals" type="number">
<title xml:lang="en-US">fail_unlock_time</title>
<description xml:lang="en-US">Seconds before automatic unlocking after excessive failed logins</description>
<value>604800</value>
<value selector="900">900</value>
<value selector="1800">1800</value>
<value selector="3600">3600</value>
<value selector="86400">86400</value>
<value selector="604800">604800</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" operator="equals" type="number">
<title xml:lang="en-US">fail_interval</title>
<description xml:lang="en-US">Interval for counting failed login attempts before account lockout</description>
<value>900</value>
<value selector="900">900</value>
<value selector="1800">1800</value>
<value selector="3600">3600</value>
<value selector="86400">86400</value>
<value selector="100000000">100000000</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="false" severity="low">
<title xml:lang="en-US">Set Password Retry Prompts Permitted Per-Session</title>
<description xml:lang="en-US">To configure the number of retry prompts that are permitted per-session:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_pwquality.so</xhtml:code> statement in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> to
show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">retry=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" use="legacy"/></xhtml:code>, or a lower value if site policy is more restrictive.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The DoD requirement is a maximum of 3 prompts per session.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:467" value-id="xccdf_org.ssgproject.content_value_var_password_pam_retry"/>
<check-content-ref name="oval:ssg:def:185" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many retry attempts are permitted on a per-session basis, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_pwquality /etc/pam.d/system-auth</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">retry</xhtml:code> parameter will indicate how many attempts are permitted.
The DoD required value is less than or equal to 3.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">retry=3</xhtml:code>, or a lower value.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" selected="false" severity="low">
<title xml:lang="en-US">Set Password to Maximum of Three Consecutive Repeating Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat</xhtml:code> parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat</xhtml:code> setting
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to prevent a run of (<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" use="legacy"/> + 1) or more identical characters.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<rationale xml:lang="en-US">
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:473" value-id="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat"/>
<check-content-ref name="oval:ssg:def:235" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="maxrepeat is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the maximum value for consecutive repeating characters, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep maxrepeat /etc/security/pwquality.conf</pre>
Look for the value of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat</xhtml:code> parameter. The DoD requirement is 3 which would
appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">maxrepeat = 3</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Digit Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit</xhtml:code> parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require the use of a digit in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">194</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:478" value-id="xccdf_org.ssgproject.content_value_var_password_pam_dcredit"/>
<check-content-ref name="oval:ssg:def:285" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="dcredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many digits are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep dcredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit</xhtml:code> parameter (as a negative number) will indicate how many digits are required.
The DoD requires at least one digit in a password. This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dcredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="false" severity="low">
<title xml:lang="en-US">Set Password Minimum Length</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minlen</xhtml:code> parameter controls requirements for
minimum characters required in a password. Add <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minlen=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" use="legacy"/></xhtml:code>
after pam_pwquality to set minimum password length requirements.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">205</reference>
<reference href="">78</reference>
<rationale xml:lang="en-US">
Password length is one factor of several that helps to determine
strength and how long it takes to crack a password. Use of more characters in
a password helps to exponentially increase the time and/or resources
required to compromise the password.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:468" value-id="xccdf_org.ssgproject.content_value_var_password_pam_minlen"/>
<check-content-ref name="oval:ssg:def:190" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="minlen is not found or not set to the required value (or higher)" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep minlen /etc/security/pwquality.conf</pre>
Your output should contain <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minlen = <sub idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" use="legacy"/></xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Uppercase Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit=</xhtml:code> parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require the use of an uppercase character in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of uppercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:469" value-id="xccdf_org.ssgproject.content_value_var_password_pam_ucredit"/>
<check-content-ref name="oval:ssg:def:214" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="ucredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many uppercase characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep ucredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit</xhtml:code> parameter (as a negative number) will indicate how many uppercase characters are required.
The DoD and FISMA require at least one uppercase character in a password.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ucredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Special Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit=</xhtml:code> parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number, any password will be
required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require use of a special character in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:471" value-id="xccdf_org.ssgproject.content_value_var_password_pam_ocredit"/>
<check-content-ref name="oval:ssg:def:229" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="ocredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many special characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep ocredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit</xhtml:code> parameter (as a negative number) will indicate how many special characters are required.
The DoD and FISMA require at least one special character in a password.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ocredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Lowercase Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit</xhtml:code> parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit</xhtml:code> setting in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> to require the use of a lowercase character in passwords.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:476" value-id="xccdf_org.ssgproject.content_value_var_password_pam_lcredit"/>
<check-content-ref name="oval:ssg:def:262" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="lcredit is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many lowercase characters are required in a password, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep lcredit /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit</xhtml:code> parameter (as a negative number) will indicate how many special characters are required.
The DoD and FISMA require at least one lowercase character in a password.
This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lcredit = -1</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Different Characters</title>
<description xml:lang="en-US">The pam_pwquality module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok</xhtml:code> parameter controls requirements for usage of different
characters during a password change. Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code>
to require differing characters when changing passwords. The DoD requirement is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">4</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:474" value-id="xccdf_org.ssgproject.content_value_var_password_pam_difok"/>
<check-content-ref name="oval:ssg:def:247" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="difok is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many characters must differ during a password change, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep difok /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok</xhtml:code> parameter will indicate how many characters must differ. The DoD requires four characters
differ during a password change. This would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">difok = 4</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" selected="false" severity="low">
<title xml:lang="en-US">Set Password Strength Minimum Different Categories</title>
<description xml:lang="en-US">The pam_cracklib module's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass</xhtml:code> parameter controls requirements for
usage of different character classes, or types, of character that must exist in a password
before it is considered valid. For example, setting this value to three (3) requires that
any password must have characters from at least three different categories in order to be
approved. The default value is zero (0), meaning there are no required classes. There are
four categories available:
<pre xmlns="http://www.w3.org/1999/xhtml">
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
</pre>
Modify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass</xhtml:code> setting in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/pwquality.conf</xhtml:code> entry to require
differing categories of characters when changing passwords. The minimum requirement is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">3</xhtml:code>.
</description>
<rationale xml:lang="en-US">
Requiring a minimum number of character categories makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:463" value-id="xccdf_org.ssgproject.content_value_var_password_pam_minclass"/>
<check-content-ref name="oval:ssg:def:129" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="minclass is not found or not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check how many categories of characters must be used in password during a password change,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep minclass /etc/security/pwquality.conf</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass</xhtml:code> parameter will indicate how many character classes must be used. If
the requirement was for the password to contain characters from three different categories,
then this would appear as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">minclass = 3</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_locking_out_password_attempts">
<title xml:lang="en-US">Set Lockouts for Failed Password Attempts</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock</xhtml:code> PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/share/doc/pam-VERSION/txts/README.pam_faillock</xhtml:code>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
</description>
<warning xml:lang="en-US" override="false" category="general">Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks.</warning>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="false" severity="medium">
<title xml:lang="en-US">Set Deny For Failed Password Attempts</title>
<description xml:lang="en-US">
To configure the system to lock out accounts after a number of incorrect login
attempts using <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code>:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Add the following lines immediately below the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> statement in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">AUTH</xhtml:code> section of
both <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> and /etc/pam.d/password-auth:
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=604800 fail_interval=900</pre>
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/> unlock_time=604800 fail_interval=900</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:466" value-id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny"/>
<check-content-ref name="oval:ssg:def:157" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_faillock /etc/pam.d/system-auth</pre>
The output should show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">deny=3</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="false" severity="medium">
<title xml:lang="en-US">Set Lockout Time For Failed Password Attempts</title>
<description xml:lang="en-US">
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code>:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Add the following lines immediately below the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_env.so</xhtml:code> statement in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=900</pre>
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/> fail_interval=900</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">47</reference>
<rationale xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
</rationale>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_faillock /etc/pam.d/system-auth</pre>
The output should show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">unlock_time=<some-large-number></xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_fail_interval" selected="false" severity="medium">
<title xml:lang="en-US">Set Interval For Counting Failed Password Attempts</title>
<description xml:lang="en-US">
Utilizing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code>, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval</xhtml:code> directive configures the system to lock out accounts after a number of incorrect login
attempts.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Add the following <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval</xhtml:code> directives to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_faillock.so</xhtml:code> immediately below the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_env.so</xhtml:code> statement in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/password-auth</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></pre>
<pre xmlns="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" use="legacy"/></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-7(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1452</reference>
<rationale xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
</rationale>
<check system="ocil-transitional">
<check-export export-name="that is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the failed password attempt policy is configured correctly, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
For each file, the output should show <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval=<interval-in-seconds></xhtml:code> where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">interval-in-seconds</xhtml:code> is 900 (15 minutes) or greater. If the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">fail_interval</xhtml:code> parameter is not set, the default setting of 900 seconds is acceptable.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="false" severity="medium">
<title xml:lang="en-US">Limit Password Reuse</title>
<description xml:lang="en-US">Do not allow users to reuse recent passwords. This can
be accomplished by using the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">remember</xhtml:code> option for the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix</xhtml:code> PAM
module. In the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>, append <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">remember=<sub idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></xhtml:code> to the
line which refers to the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> module, as shown:
<pre xmlns="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so <i>existing_options</i> remember=<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" use="legacy"/></pre>
The DoD and FISMA requirement is 24 passwords.</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:470" value-id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember"/>
<check-content-ref name="oval:ssg:def:225" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the password reuse setting is compliant, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep remember /etc/pam.d/system-auth</pre>
The output should show the following at the end of the line:
<pre xmlns="http://www.w3.org/1999/xhtml">remember=24</pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm">
<title xml:lang="en-US">Set Password Hashing Algorithm</title>
<description xml:lang="en-US">The system's default algorithm for storing password hashes in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> is SHA-512. This can be configured in several
locations.</description>
<Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="false" severity="medium">
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/pam.d/system-auth</title>
<description xml:lang="en-US">
In <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code>, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password</xhtml:code> section of
the file controls which PAM modules execute during a password change.
Set the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> module in the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password</xhtml:code> section to include the argument <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sha512</xhtml:code>, as shown below:
<pre xmlns="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so sha512 <i>other arguments...</i></pre>
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">password</xhtml:code> section of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> and
ensure that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_unix.so</xhtml:code> module includes the argument
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sha512</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep sha512 /etc/pam.d/system-auth</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="false" severity="medium">
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/login.defs</title>
<description xml:lang="en-US">
In <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
<pre xmlns="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:153" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> and ensure the following line appears:
<pre xmlns="http://www.w3.org/1999/xhtml">ENCRYPT_METHOD SHA512</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="false" severity="medium">
<title xml:lang="en-US">Set Password Hashing Algorithm in /etc/libuser.conf</title>
<description xml:lang="en-US">
In <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/libuser.conf</xhtml:code>, add or correct the following line in its
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[defaults]</xhtml:code> section to ensure the system will use the SHA-512
algorithm for password hashing:
<pre xmlns="http://www.w3.org/1999/xhtml">crypt_style = sha512</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(c)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
<rationale xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/libuser.conf</xhtml:code> and ensure the following line appears
in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[default]</xhtml:code> section:
<pre xmlns="http://www.w3.org/1999/xhtml">crypt_style = sha512</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-physical">
<title xml:lang="en-US">Protect Physical Console Access</title>
<description xml:lang="en-US">It is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console.</description>
<Group id="xccdf_org.ssgproject.content_group_bootloader">
<title xml:lang="en-US">Set Boot Loader Password</title>
<description xml:lang="en-US">During the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Fedora boot loader for x86 systems is called GRUB2.
Options it can pass to the kernel include <i xmlns="http://www.w3.org/1999/xhtml">single-user mode</i>, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg" selected="false" severity="medium">
<title xml:lang="en-US">Verify /boot/grub2/grub.cfg User Ownership</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should
be owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user to prevent destruction
or modification of the file.
To properly set the owner of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chown root/boot/grub2/grub.cfg</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
<rationale xml:lang="en-US">
Only root should be able to modify important boot parameters.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:237" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the ownership of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ls -lL /boot/grub2/grub.cfg</xhtml:pre>
If properly configured, the output should indicate the following owner:
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg" selected="false" severity="medium">
<title xml:lang="en-US">Verify /boot/grub2/grub.cfg Group Ownership</title>
<description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should
be group-owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> group to prevent
destruction or modification of the file.
To properly set the group owner of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chgrp root/boot/grub2/grub.cfg</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
<rationale xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:278" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the group ownership of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ls -lL /boot/grub2/grub.cfg</xhtml:pre>
If properly configured, the output should indicate the following group-owner.
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="false" severity="medium">
<title xml:lang="en-US">Verify /boot/grub2/grub.cfg Permissions</title>
<description xml:lang="en-US">File permissions for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should be set to 600, which
is the default.
To properly set the permissions of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chmod 600/boot/grub2/grub.cfg</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
<rationale xml:lang="en-US">
Proper permissions ensure that only the root user can modify important boot
parameters.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:192" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the permissions of /boot/grub2/grub.cfg, run the command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -lL /boot/grub2/grub.cfg</pre>
If properly configured, the output should indicate the following
permissions: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-rw-------</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_bootloader_password" selected="false" severity="medium">
<title xml:lang="en-US">Set Boot Loader Password</title>
<description xml:lang="en-US">The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.d</xhtml:code>.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grub2-mkpasswd-pbkdf2</pre>
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.d</xhtml:code> immediately after the superuser account.
(Use the output from <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub2-mkpasswd-pbkdf2</xhtml:code> as the value of
<b xmlns="http://www.w3.org/1999/xhtml">password-hash</b>):
<pre xmlns="http://www.w3.org/1999/xhtml">password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
<br xmlns="http://www.w3.org/1999/xhtml"/>
To meet FISMA Moderate, the bootloader superuser account and password MUST
differ from the root account and password.
Once the superuser account and password have been added, update the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub.cfg</xhtml:code> file by running:
<pre xmlns="http://www.w3.org/1999/xhtml">grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
NOTE: Do NOT manually add the superuser account and password to the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub.cfg</xhtml:code> file as the grub2-mkconfig command overwrites this file.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(e)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
<rationale xml:lang="en-US">
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. For more information on how to configure
the grub2 superuser account and password, please refer to
<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html</li>.
</ul>
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:264" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the boot loader superuser account and superuser account password have
been set, and the password encrypted, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">sudo grep -A1 "superusers\|password" /etc/grub2.cfg</pre>
The output should show the following:
<pre xmlns="http://www.w3.org/1999/xhtml">set superusers="<b>superusers-account</b>"
password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="false" severity="medium">
<title xml:lang="en-US">Require Authentication for Single User Mode</title>
<description xml:lang="en-US">Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
By default, single-user mode is protected by requiring a password and is set
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/lib/systemd/system/rescue.service</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
<rationale xml:lang="en-US">
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:298" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the output is different" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check if authentication is required for single-user mode, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep sulogin /usr/lib/systemd/system/rescue.service</pre>
The output should be similar to the following, and the line must begin with
ExecStart and /sbin/sulogin:
<pre xmlns="http://www.w3.org/1999/xhtml">ExecStart=-/sbin/sulogin</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="false" severity="high">
<title xml:lang="en-US">Disable Ctrl-Alt-Del Reboot Activation</title>
<description xml:lang="en-US">
By default, the system includes the following line in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</xhtml:code>
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
<pre xmlns="http://www.w3.org/1999/xhtml">exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</pre>
<br xmlns="http://www.w3.org/1999/xhtml"/>
To configure the system to log a message instead of
rebooting the system, alter that line to read as follows:
<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
</description>
<rationale xml:lang="en-US">
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
In the GNOME graphical environment, risk of unintentional reboot from the
Ctrl-Alt-Del sequence is reduced because the user will be
prompted before any action is taken.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the system is configured to run the shutdown command" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the system is configured to log a message instead of rebooting the system when
Ctrl-Alt-Del is pressed, ensure the following line is in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_disable_interactive_boot" selected="false" severity="medium">
<title xml:lang="en-US">Disable Interactive Boot</title>
<description xml:lang="en-US">
To disable the ability for users to perform interactive startups,
edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/init</xhtml:code>.
Add or correct the line:
<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PROMPT</xhtml:code> option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-2</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
<rationale xml:lang="en-US">
Using interactive boot,
the console user could disable auditing, firewalls, or other
services, weakening system security.
</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check whether interactive boot is disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PROMPT /etc/sysconfig/init</pre>
If interactive boot is disabled, the output will show:
<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_screen_locking">
<title xml:lang="en-US">Configure Screen Locking</title>
<description xml:lang="en-US">When a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.</description>
<Group id="xccdf_org.ssgproject.content_group_gui_screen_locking">
<title xml:lang="en-US">Configure GUI Screen Locking</title>
<description xml:lang="en-US">In the default GNOME3 desktop, the screen can be locked
by selecting the user name in the far right corner of the main panel and
selecting <b xmlns="http://www.w3.org/1999/xhtml">Lock</b>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The following sections detail commands to enforce idle activation of the screensaver,
screen locking, a blank-screen screensaver, and an idle
activation time.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The root account can be screen-locked; however,
the root account should <i xmlns="http://www.w3.org/1999/xhtml">never</i> be used
to log into an X Windows environment and should only be used to
for direct login via console in emergency circumstances.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
For more information about enforcing preferences in the GNOME3 environment using the DConf
configuration system, see <b xmlns="http://www.w3.org/1999/xhtml">http://wiki.gnome.org/dconf</b> and
the man page <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf(1)</xhtml:code>. For Red Hat specific information on configuring DConf
settings, see <b xmlns="http://www.w3.org/1999/xhtml">https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.html</b>
</description>
<Value id="xccdf_org.ssgproject.content_value_inactivity_timeout_value" operator="equals" type="number">
<title xml:lang="en-US">Inactivity timeout</title>
<description xml:lang="en-US">Choose allowed duration of inactive SSH connections, shells, and X sessions</description>
<value>900</value>
<value selector="5_minutes">300</value>
<value selector="10_minutes">600</value>
<value selector="15_minutes">900</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="false" severity="medium">
<title xml:lang="en-US">Set GNOME3 Screensaver Inactivity Timeout</title>
<description xml:lang="en-US">
To set the idle time-out value for inactivity in the GNOME3 desktop to 5 minutes (in seconds),
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">idle-delay</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
<rationale xml:lang="en-US">
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:479" value-id="xccdf_org.ssgproject.content_value_inactivity_timeout_value"/>
<check-content-ref name="oval:ssg:def:294" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the current idle time-out value, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.session idle-delay</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">300</xhtml:code>.
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep idle-delay /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/session/idle-delay</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable GNOME3 Screensaver Idle Activation</title>
<description xml:lang="en-US">
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">idle-activation-enabled</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
<rationale xml:lang="en-US">
Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:269" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>To check the screensaver mandatory use status, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/idle-activation-enabled</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable GNOME3 Screensaver Lock After Idle Period</title>
<description xml:lang="en-US">
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-enabled</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-delay</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
<rationale xml:lang="en-US">
Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:287" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check the status of the idle screen lock activation, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver lock-enabled</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To check that the screen locks when activated, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver lock-delay</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
To ensure that users cannot change how long until the the screensaver locks, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep 'lock-enabled\|lock-delay' /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-enabled</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/lock-enabled</xhtml:code>
If properly configured, the output for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lock-delay</xhtml:code> should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/lock-delay</xhtml:code>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="false" severity="low">
<title xml:lang="en-US">Implement Blank Screensaver</title>
<description xml:lang="en-US">
To set the screensaver mode in the GNOME3 desktop to a blank screen,
the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">picture-uri</xhtml:code> setting must be set under an appropriate
configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/local.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(b)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">60</reference>
<rationale xml:lang="en-US">
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:172" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the screensaver is configured to be blank, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ gsettings get org.gnome.desktop.screensaver picture-uri</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">''</xhtml:code>.
To ensure that users cannot set the screensaver background, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep picture-uri /etc/dconf/db/local.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/desktop/screensaver/picture-uri</xhtml:code>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_console_screen_locking">
<title xml:lang="en-US">Configure Console Screen Locking</title>
<description xml:lang="en-US">
A console screen locking mechanism is provided in the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package, which is not installed by default.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="false" severity="low">
<title xml:lang="en-US">Install the screen Package</title>
<description xml:lang="en-US">
To enable console screen locking, install the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo yum install screen</pre>
Instruct users to begin new terminal sessions with the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ screen</pre>
The console can now be locked with the following key combination:
<pre xmlns="http://www.w3.org/1999/xhtml">ctrl+a x</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">58</reference>
<rationale xml:lang="en-US">
Installing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> ensures a console locking capability is available
for users who may need to suspend console logins.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the package is not installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q screen</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_smart_card_login">
<title xml:lang="en-US">Hardware Tokens for Authentication</title>
<description xml:lang="en-US">
The use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username/password.
In Fedora servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_smartcard_auth" selected="false" severity="medium">
<title xml:lang="en-US">Enable Smart Card Login</title>
<description xml:lang="en-US">
To enable smart card authentication, consult the documentation at:
<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.fedoraproject.org/docs/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html</li></ul>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">765</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">766</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">767</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">768</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">771</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">772</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">884</reference>
<rationale xml:lang="en-US">Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
</rationale>
<check system="ocil-transitional">
<check-export export-name="non-exempt accounts are not using CAC authentication" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Interview the SA to determine if all accounts not exempted by policy are
using CAC authentication.
</check-content>
</check>
</Rule>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_accounts-banners">
<title xml:lang="en-US">Warning Banners for System Accesses</title>
<description xml:lang="en-US">Each system should expose as little information about
itself as possible.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.</description>
<Value id="xccdf_org.ssgproject.content_value_login_banner_text" operator="equals" type="string">
<title xml:lang="en-US">Login Banner Verbiage</title>
<description xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description>
<value selector="usgcb_default">--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.</value>
<value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value>
<value selector="dod_short">I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_set_system_login_banner" selected="false" severity="medium">
<title xml:lang="en-US">Modify the System Login Banner</title>
<description xml:lang="en-US">
To configure the system login banner:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/issue</xhtml:code>. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
<br xmlns="http://www.w3.org/1999/xhtml"/>-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
<br xmlns="http://www.w3.org/1999/xhtml"/>-At any time, the USG may inspect and seize data stored on this IS.
<br xmlns="http://www.w3.org/1999/xhtml"/>-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
<br xmlns="http://www.w3.org/1999/xhtml"/>-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
<br xmlns="http://www.w3.org/1999/xhtml"/>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.</xhtml:code>
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
OR:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">I've read & consent to terms in IS user agreem't.</xhtml:code>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1384</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1385</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1386</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1387</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1388</reference>
<rationale xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:456" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/>
<check-content-ref name="oval:ssg:def:253" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not display the required banner" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check if the system login banner is compliant,
run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ cat /etc/issue</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_gui_login_banner">
<title xml:lang="en-US">Implement a GUI Warning Banner</title>
<description xml:lang="en-US">In the default graphical environment, users logging
directly into the system are greeted with a login screen provided
by the GNOME3 Display Manager (GDM). The warning banner should be
displayed in this graphical environment for these users.
The following sections describe how to configure the GDM login
banner.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable GNOME3 Login Warning Banner</title>
<description xml:lang="en-US">
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner-message-enable</xhtml:code> setting must be
set under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
To display a banner, this setting must be enabled, and the user must be prevented
from making changes. The banner text must also be set.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">50</reference>
<rationale xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:144" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure a login warning banner is enabled, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-enable /etc/dconf/db/gdm.d/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/banner-message-enable</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="false" severity="medium">
<title xml:lang="en-US">Set the GNOME3 Login Warning Banner Text</title>
<description xml:lang="en-US">
To set the text shown by the GNOME3 Display Manager
in the login screen, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner-message-text</xhtml:code> setting must be set under an
appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d</xhtml:code> directory and locked
in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
When entering a warning banner that spans several lines, remember
to begin and end the string with <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">'</xhtml:code> and use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">\n</xhtml:code> for new lines.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(a)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(b)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-8(c)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1384</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1385</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1386</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1387</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1388</reference>
<rationale xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:456" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/>
<check-content-ref name="oval:ssg:def:197" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the login warning banner text is properly set, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-text /etc/dconf/db/gdm.d/*</pre>
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/banner-message-text</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" selected="false" severity="low">
<title xml:lang="en-US">Disable the GNOME3 Login User List</title>
<description xml:lang="en-US">In the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">disable-user-list</xhtml:code> setting must be
set under an appropriate configuration file(s) in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d</xhtml:code> directory
and locked in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/dconf/db/gdm.d/locks</xhtml:code> directory to prevent user modification.
After the settings have been set, run <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dconf update</xhtml:code>.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-23</reference>
<rationale xml:lang="en-US">Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.</rationale>
<check system="ocil-transitional">
<check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the user list is disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep disable-user-list /etc/dconf/db/gdm.d/*</pre>
The output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
To ensure that users cannot enable displaying the user list, run the following:
<pre xmlns="http://www.w3.org/1999/xhtml">$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*</pre>
If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/org/gnome/login-screen/disable-user-list</xhtml:code>
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_network">
<title xml:lang="en-US">Network Configuration and Firewalls</title>
<description xml:lang="en-US">Most machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.</description>
<Group id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces">
<title xml:lang="en-US">Disable Unused Interfaces</title>
<description xml:lang="en-US">Network interfaces expand the attack surface of the
system. Unused interfaces are not monitored or controlled, and
should be disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code> except for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ifcfg-lo</xhtml:code> from
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre>
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">network</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable network.service</xhtml:pre>
</description>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_network_disable_zeroconf" selected="false" severity="low">
<title xml:lang="en-US">Disable Zeroconf Networking</title>
<description xml:lang="en-US">Zeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">NOZEROCONF=yes</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">Zeroconf addresses are in the network 169.254.0.0. The networking
scripts add entries to the system's routing table for these addresses. Zeroconf
address assignment commonly occurs when the system is configured to use DHCP
but fails to receive an address assignment from the DHCP server.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="false" severity="low">
<title xml:lang="en-US">Ensure System is Not Acting as a Network Sniffer</title>
<description xml:lang="en-US">The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
<pre xmlns="http://www.w3.org/1999/xhtml">$ ip link | grep PROMISC</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-3</reference>
<rationale xml:lang="en-US">If any results are returned, then a sniffing process (such as tcpdump
or Wireshark) is likely to be using the interface and this should be
investigated.
</rationale>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_network-ipv6">
<title xml:lang="en-US">IPv6</title>
<description xml:lang="en-US">The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_ipv6">
<title xml:lang="en-US">Disable Support for IPv6 Unless Needed</title>
<description xml:lang="en-US">
Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_kernel_ipv6_disable" selected="false" severity="medium">
<title xml:lang="en-US">Disable IPv6 Networking Support Automatic Loading</title>
<description xml:lang="en-US">To disable support for (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ipv6</xhtml:code>) add the following line to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d/ipv6.conf</xhtml:code> (or another file in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d</xhtml:code>):
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.disable_ipv6 = 1</pre>
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
<rationale xml:lang="en-US">
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:259" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the ipv6 support is disabled on network interfaces" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
If the system uses IPv6, this is not applicable.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If the system is configured to prevent the usage of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ipv6</xhtml:code> on network interfaces, it will contain a line
of the form:
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.disable_ipv6 = 1</pre>
Such lines may be inside any file in the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d</xhtml:code> directory.
This permits insertion of the IPv6 kernel module (which other parts of
the system expect to be present), but otherwise keeps all network interfaces
from using IPv6.
Run the following command to search for such
lines in all files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.d</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml" xml:space="preserve">$ grep -r ipv6 /etc/sysctl.d</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_interfaces" selected="false" severity="low">
<title xml:lang="en-US">Disable Interface Usage of IPv6</title>
<description xml:lang="en-US">To disable interface usage of IPv6, add or correct the following lines in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">NETWORKING_IPV6=no
IPV6INIT=no</pre>
</description>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" selected="false" severity="low">
<title xml:lang="en-US">Disable Support for RPC IPv6</title>
<description xml:lang="en-US">RPC services for NFSv4 try to load transport modules for
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">udp6</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">tcp6</xhtml:code> by default, even if IPv6 has been disabled in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/modprobe.d</xhtml:code>. To prevent RPC services such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpc.mountd</xhtml:code>
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/netconfig</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_configuring_ipv6">
<title xml:lang="en-US">Configure IPv6 Settings if Necessary</title>
<description xml:lang="en-US">A major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig">
<title xml:lang="en-US">Disable Automatic Configuration</title>
<description xml:lang="en-US">Disable the system's acceptance of router
advertisements and redirects by adding or correcting the following
line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</xhtml:code> (note that this does not disable
sending router solicitations):
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_AUTOCONF=no</pre>
</description>
<Value id="xccdf_org.ssgproject.content_value_sysconfig_network_IPV6_AUTOCONF_value" operator="equals" type="string">
<title xml:lang="en-US">IPV6_AUTOCONF</title>
<description xml:lang="en-US">Toggle global IPv6 auto-configuration (only, if global
forwarding is disabled)</description>
<value>no</value>
<value selector="enabled">yes</value>
<value selector="disabled">no</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_value" operator="equals" type="string">
<title xml:lang="en-US">net.ipv6.conf.default.accept_ra</title>
<description xml:lang="en-US">Accept default router advertisements?</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_redirects_value" operator="equals" type="string">
<title xml:lang="en-US">net.ipv6.conf.default.accept_redirects</title>
<description xml:lang="en-US">Toggle ICMP Redirect Acceptance</description>
<value>0</value>
<value selector="enabled">1</value>
<value selector="disabled">0</value>
</Value>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="false" severity="low">
<title xml:lang="en-US">Disable Accepting IPv6 Router Advertisements</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_ra</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w net.ipv6.conf.default.accept_ra=0</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.default.accept_ra = 0</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">
An illicit router advertisement message could result in a man-in-the-middle attack.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_ra</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl net.ipv6.conf.default.accept_ra</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="false" severity="medium">
<title xml:lang="en-US">Disable Accepting IPv6 Redirects</title>
<description xml:lang="en-US">
To set the runtime status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_redirects</xhtml:code> kernel parameter,
run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># sysctl -w net.ipv6.conf.default.accept_redirects=0</xhtml:pre>
If this is not the system's default value, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.default.accept_redirects = 0</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
<rationale xml:lang="en-US">
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the correct value is not returned" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
The status of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.accept_redirects</xhtml:code> kernel parameter can be queried
by running the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sysctl net.ipv6.conf.default.accept_redirects</xhtml:pre>
The output of the command should indicate a value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code>.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>.
</check-content>
</check>
</Rule>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_static_address" selected="false" severity="low">
<title xml:lang="en-US">Manually Assign Global IPv6 Address</title>
<description xml:lang="en-US">To manually assign an IP address for an interface, edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>. Add or correct the
following line (substituting the correct IPv6 address):
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6ADDR=2001:0DB8::ABCD/64</pre>
Manually assigning an IP address is preferable to accepting one from routers or
from the network otherwise. The example address here is an IPv6 address
reserved for documentation purposes, as defined by RFC3849.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" selected="false" severity="low">
<title xml:lang="en-US">Use Privacy Extensions for Address</title>
<description xml:lang="en-US">To introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_PRIVACY=rfc3041</pre>
Automatically-generated IPv6 addresses are based on the underlying hardware
(e.g. Ethernet) address, and so it becomes possible to track a piece of
hardware over its lifetime using its traffic. If it is important for a system's
IP address to not trivially reveal its hardware address, this setting should be
applied.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_network_ipv6_default_gateway" selected="false" severity="low">
<title xml:lang="en-US">Manually Assign IPv6 Router Address</title>
<description xml:lang="en-US">Edit the file
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<i xmlns="http://www.w3.org/1999/xhtml">interface</i></xhtml:code>, and add or correct
the following line (substituting your gateway IP as appropriate):
<pre xmlns="http://www.w3.org/1999/xhtml">IPV6_DEFAULTGW=2001:0DB8::0001</pre>
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests">
<title xml:lang="en-US">Limit Network-Transmitted Configuration if Using Static IPv6 Addresses</title>
<description xml:lang="en-US">To limit the configuration information requested from other
systems and accepted from the network on a system that uses
statically-configured IPv6 addresses, add the following lines to
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1</pre>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">router_solicitations</xhtml:code> setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">accept_ra_pinfo</xhtml:code> setting controls whether the system will accept
prefix info from the router.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">accept_ra_defrtr</xhtml:code> setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">autoconf</xhtml:code> setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">dad_transmits</xhtml:code> setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">max_addresses</xhtml:code> setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should
be set to exactly the number of statically configured global addresses
required.
</description>
</Group>
</Group>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_services">
<title xml:lang="en-US">Services</title>
<description xml:lang="en-US">
The best protection against vulnerable software is running less software. This
section describes how to review the software which Fedora installs on a system
and disable software which is not needed. It then enumerates the software
packages installed on a default Fedora system and provides guidance about which
ones can be safely disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Fedora provides a convenient minimal install option that essentially installs
the bare necessities for a functional system. When building Fedora servers, it
is highly recommended to select the minimal packages and then build up the
system from there.
</description>
<Group id="xccdf_org.ssgproject.content_group_ssh">
<title xml:lang="en-US">SSH Server</title>
<description xml:lang="en-US">The SSH protocol is recommended for remote login and remote file
transfer. SSH provides confidentiality and integrity for data exchanged between
two systems, as well as server authentication, through the use of public key
cryptography. The implementation included with the system is called OpenSSH,
and more detailed documentation is available from its website,
http://www.openssh.org. Its server program is called <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sshd</xhtml:code> and
provided by the RPM package <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">openssh-server</xhtml:code>.</description>
<Value id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" operator="equals" type="number">
<title xml:lang="en-US">SSH session Idle time</title>
<description xml:lang="en-US">Specify duration of allowed idle time.</description>
<value>300</value>
<value selector="5_minutes">300</value>
<value selector="10_minutes">600</value>
<value selector="15_minutes">900</value>
</Value>
<Group id="xccdf_org.ssgproject.content_group_ssh_server">
<title xml:lang="en-US">Configure OpenSSH Server if Necessary</title>
<description xml:lang="en-US">If the system needs to act as an SSH server, then certain changes
should be made to the OpenSSH daemon configuration file
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>. The following recommendations can be applied
to this file. See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sshd_config(5)</xhtml:code> man page for more detailed
information.</description>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="false" severity="medium">
<title xml:lang="en-US">SSH Root Login Disabled</title>
<description xml:lang="en-US">The root user should never be allowed to login to a system
directly over a network. To disable root login via SSH, add or correct the
following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">PermitRootLogin no</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
<rationale xml:lang="en-US">
Permitting direct root login reduces auditable information about who ran
privileged commands on the system and also allows direct attack attempts on
root's password.
</rationale>
<fix system="urn:xccdf:fix:script:sh">
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:243" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="false" severity="high">
<title xml:lang="en-US">SSH Access via Empty Passwords Disabled</title>
<description xml:lang="en-US">To explicitly disallow remote login from accounts with empty
passwords, add or correct the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">PermitEmptyPasswords no</pre>
Any accounts with empty passwords should be disabled immediately, and PAM
configuration should prevent users from being able to assign themselves empty
passwords.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">765</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">766</reference>
<rationale xml:lang="en-US">
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
</rationale>
<fix system="urn:xccdf:fix:script:sh">
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG
echo -e "\nPermitEmptyPasswords no" >> $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:227" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="false" severity="low">
<title xml:lang="en-US">SSH Idle Timeout Interval Used</title>
<description xml:lang="en-US">SSH allows administrators to set an idle timeout interval.
After this interval has passed, the idle user will be automatically logged out.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To set an idle timeout interval, edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code> file,
locate the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b>INTERVAL</b></pre>
and correct it to have the form of:
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/></b></pre>
The timeout <b xmlns="http://www.w3.org/1999/xhtml">INTERVAL</b> is given in seconds. To have a timeout of 15
minutes, set <b xmlns="http://www.w3.org/1999/xhtml">INTERVAL</b> to 900.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made here. Keep in mind that some processes may stop
SSH from correctly detecting that the user is idle.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">879</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</reference>
<rationale xml:lang="en-US">
Causing idle users to be automatically logged out guards against compromises
one system leading trivially to compromises on another.
</rationale>
<fix system="urn:xccdf:fix:script:sh">sshd_idle_timeout_value="<sub idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/>"
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveInterval directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG
echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-export export-name="oval:ssg:var:465" value-id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value"/>
<check-content-ref name="oval:ssg:def:141" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="false" severity="low">
<title xml:lang="en-US">SSH Client Alive Count Used</title>
<description xml:lang="en-US">To ensure the SSH idle timeout occurs precisely when the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ClientAliveCountMax</xhtml:code> is set, edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code> as
follows:
<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveCountMax 0</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">879</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1133</reference>
<rationale xml:lang="en-US">
This ensures a user login will be terminated as soon as the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ClientAliveCountMax</xhtml:code> is reached.
</rationale>
<fix system="urn:xccdf:fix:script:sh">
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveCountMax directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG
echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
fi
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:205" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ntp">
<title xml:lang="en-US">Network Time Protocol</title>
<description xml:lang="en-US">The Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of machines, and that their time is consistent with the
outside world.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a
public timeserver (or one provided by your enterprise) provides globally
accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
A typical network setup involves a small number of internal systems operating as NTP
servers, and the remainder obtaining time information from those
internal servers.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
More information on how to configure the NTP server software,
including configuration of cryptographic authentication for
time data, is available at http://www.ntp.org.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="false" severity="medium">
<title xml:lang="en-US">Enable the NTP Daemon</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service can be enabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl enable ntpd.service</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</reference>
<rationale xml:lang="en-US">Enabling the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service ensures that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code>
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The NTP daemon offers all of the functionality of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpdate</xhtml:code>, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</rationale>
<fix system="urn:xccdf:fix:script:sh">#
# Install ntp package if necessary
#
yum -y install ntp
#
# Enable ntpd service (for current systemd target)
#
systemctl enable ntpd.service
#
# Start ntpd if not currently running
#
systemctl start ntpd.service
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:272" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the service is not running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine the current status of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service ntpd status</xhtml:pre>
If the service is enabled, it should return the following: <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd is running...</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="false" severity="medium">
<title xml:lang="en-US">Specify a Remote NTP Server</title>
<description xml:lang="en-US">To specify a remote NTP server for time synchronization, edit
the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ntp.conf</xhtml:code>. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for <em xmlns="http://www.w3.org/1999/xhtml">ntpserver</em>:
<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
This instructs the NTP software to contact that remote server to obtain time
data.
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</reference>
<rationale xml:lang="en-US">Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
real time events.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:203" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="this is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify that a remote NTP service is configured for time synchronization,
open the following file:
<pre xmlns="http://www.w3.org/1999/xhtml">/etc/ntp.conf</pre>
In the file, there should be a section similar to the following:
<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers" selected="false" severity="low">
<title xml:lang="en-US">Specify Additional Remote NTP Servers</title>
<description xml:lang="en-US">Additional NTP servers can be specified for time synchronization
in the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ntp.conf</xhtml:code>. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
<em xmlns="http://www.w3.org/1999/xhtml">ntpserver</em>:
<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
<rationale xml:lang="en-US">Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:125" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ftp">
<title xml:lang="en-US">FTP Server</title>
<description xml:lang="en-US">FTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_vsftpd">
<title xml:lang="en-US">Disable vsftpd if Possible</title>
<Rule id="xccdf_org.ssgproject.content_rule_disable_vsftpd" selected="false" severity="low">
<title xml:lang="en-US">Disable vsftpd Service</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable vsftpd.service</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
<rationale xml:lang="en-US">
Running FTP server software provides a network-based avenue
of attack, and should be disabled if not needed.
Furthermore, the FTP protocol is unencrypted and creates
a risk of compromising sensitive information.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>vsftpd</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>vsftpd</xhtml:code> --list
<xhtml:code>vsftpd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service vsftpd status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_uninstall_vsftpd" selected="false" severity="low">
<title xml:lang="en-US">Uninstall vsftpd Package</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package can be removed with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase vsftpd</xhtml:pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
<rationale xml:lang="en-US">
Removing the vsftpd package decreases the risk of its
accidental activation.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the package is installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q vsftpd</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">
<title xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title>
<Rule id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed" selected="false" severity="low">
<title xml:lang="en-US">Install vsftpd Package</title>
<description xml:lang="en-US">If this machine must operate as an FTP server, install the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package via the standard channels.
<pre xmlns="http://www.w3.org/1999/xhtml"># yum install vsftpd</pre>
</description>
<reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
<rationale xml:lang="en-US">After RHEL 2.1, Red Hat switched from distributing wu-ftpd with RHEL to distributing vsftpd. For security
and for consistency with future Red Hat releases, the use of vsftpd is recommended.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:168" href="ssg-fedora-oval.xml"/>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">
<title xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title>
<description xml:lang="en-US">The primary vsftpd configuration file is
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd.conf</xhtml:code>, if that file exists, or
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code> if it does not.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_log_transactions" selected="false" severity="low">
<title xml:lang="en-US">Enable Logging of All FTP Transactions</title>
<description xml:lang="en-US">Add or correct the following configuration options within the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code>
configuration file, located at <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code>:
<pre xmlns="http://www.w3.org/1999/xhtml">xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES</pre>
</description>
<warning xml:lang="en-US" override="false" category="general">If verbose logging to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code> is done, sparse logging of downloads to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/xferlog</xhtml:code> will not also occur. However, the information about what files were downloaded is included in the information logged to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code></warning>
<rationale xml:lang="en-US">To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/vsftpd.log</xhtml:code>.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:167" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="xferlog_enable is missing, or is not set to yes" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Find if logging is applied to the FTP daemon.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Procedures:
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep vsftpd /etc/xinetd.d/*</pre>
<pre xmlns="http://www.w3.org/1999/xhtml"># grep server_args <i>vsftpd xinetd.d startup file</i></pre>
This will indicate the vsftpd config file used when starting through xinetd.
If the <i xmlns="http://www.w3.org/1999/xhtml">server_args</i> line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.
<pre xmlns="http://www.w3.org/1999/xhtml"># grep xferlog_enable <i>vsftpd config file</i></pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_present_banner" selected="false" severity="medium">
<title xml:lang="en-US">Create Warning Banners for All FTP Users</title>
<description xml:lang="en-US">Edit the vsftpd configuration file, which resides at <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code>
by default. Add or correct the following configuration options:
<pre xmlns="http://www.w3.org/1999/xhtml">banner_file=/etc/issue</pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
<rationale xml:lang="en-US">This setting will cause the system greeting banner to be used for FTP connections as well.</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:292" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
If FTP services are not installed, this is not applicable.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To verify this configuration, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">grep "banner_file" /etc/vsftpd/vsftpd.conf</pre>
The output should show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner_file</xhtml:code> is set to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/issue</xhtml:code>, an example of which is shown below:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep "banner_file" /etc/vsftpd/vsftpd.conf
banner_file=/etc/issue</pre>
</check-content>
</check>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_ftp_restrict_users">
<title xml:lang="en-US">Restrict the Set of Users Allowed to Access FTP</title>
<description xml:lang="en-US">This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
identified need for this access.</description>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" selected="false" severity="low">
<title xml:lang="en-US">Restrict Access to Anonymous Users if Possible</title>
<description xml:lang="en-US">Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
<pre xmlns="http://www.w3.org/1999/xhtml">local_enable=NO</pre>
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
these logins as much as possible.</description>
<rationale xml:lang="en-US">The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. </rationale>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_ftp_limit_users">
<title xml:lang="en-US">Limit Users Allowed FTP Access if Necessary</title>
<description xml:lang="en-US">If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
<pre xmlns="http://www.w3.org/1999/xhtml">userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers
userlist_deny=NO</pre>
Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</xhtml:code>. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
<pre xmlns="http://www.w3.org/1999/xhtml">USERNAME</pre>
If anonymous access is also required, add the anonymous usernames to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</xhtml:code> as well.
<pre xmlns="http://www.w3.org/1999/xhtml">anonymous
ftp</pre>
</description>
<rationale xml:lang="en-US">Historically, the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ftpusers</xhtml:code> contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">userlist deny=NO</xhtml:code> is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.</rationale>
</Group>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads" selected="false" severity="low">
<title xml:lang="en-US">Disable FTP Uploads if Possible</title>
<description xml:lang="en-US">Is there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
<pre xmlns="http://www.w3.org/1999/xhtml">write_enable=NO</pre>
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.</description>
<rationale xml:lang="en-US">Anonymous FTP can be a convenient way to make files available for universal download. However, it is less
common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it
is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_ftp_home_partition" selected="false" severity="low">
<title xml:lang="en-US">Place the FTP Home Directory on its Own Partition</title>
<description xml:lang="en-US">By default, the anonymous FTP root is the home directory of the FTP user account. The df command can
be used to verify that this directory is on its own partition.</description>
<rationale xml:lang="en-US">If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent
these users from filling a disk used by other services.</rationale>
</Rule>
<Group id="xccdf_org.ssgproject.content_group_ftp_configure_firewall">
<title xml:lang="en-US">Configure Firewalls to Protect the FTP Server</title>
<description xml:lang="en-US">By default, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">iptables</xhtml:code>
blocks access to the ports used by the web server.
To configure <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">iptables</xhtml:code> to allow port
21 traffic one must edit
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</xhtml:code> and
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</xhtml:code> (if IPv6 is in use).
Add the following line, ensuring that it appears before the final LOG
and DROP lines for the INPUT chain:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT</xhtml:pre>
Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables-config</xhtml:code>. Ensure that the space-separated list of modules contains
the FTP connection tracking module:
<pre xmlns="http://www.w3.org/1999/xhtml">IPTABLES_MODULES="ip_conntrack_ftp"</pre></description>
<rationale xml:lang="en-US">These settings configure iptables to allow connections to an FTP server. The first line allows initial connections
to the FTP server port.
FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
and server negotiate an arbitrary port to be used for data transfer. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ip_conntrack_ftp</xhtml:code> module is used by
iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
FTP server to operate on a machine which is running a firewall.</rationale>
</Group>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_snmp">
<title xml:lang="en-US">SNMP Server</title>
<description xml:lang="en-US">The Simple Network Management Protocol allows
administrators to monitor the state of network devices, including
computers. Older versions of SNMP were well-known for weak
security, such as plaintext transmission of the community string
(used for authentication) and usage of easily-guessable
choices for the community string.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_snmp_service">
<title xml:lang="en-US">Disable SNMP Server if Possible</title>
<description xml:lang="en-US">The system includes an SNMP daemon that allows for its remote
monitoring, though it not installed by default. If it was installed and
activated but is not needed, the software should be disabled and removed.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_disable_snmpd" selected="false" severity="low">
<title xml:lang="en-US">Disable snmpd Service</title>
<description xml:lang="en-US">
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable snmpd.service</xhtml:pre>
</description>
<rationale xml:lang="en-US">
Running SNMP software provides a network-based avenue of attack, and
should be disabled if not needed.
</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>snmpd</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>snmpd</xhtml:code> --list
<xhtml:code>snmpd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service snmpd status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_package_net-snmp_removed" selected="false" severity="low">
<title xml:lang="en-US">Uninstall net-snmp Package</title>
<description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package provides the snmpd service.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package can be removed with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase net-snmp</xhtml:pre>
</description>
<rationale xml:lang="en-US">
If there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation.
</rationale>
<fix system="urn:xccdf:fix:script:sh">if rpm -qa | grep -q net-snmp; then
yum -y remove net-snmp
fi
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:165" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="the package is installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package is installed:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q net-snmp</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_snmp_configure_server">
<title xml:lang="en-US">Configure SNMP Server if Necessary</title>
<description xml:lang="en-US">If it is necessary to run the snmpd agent on the system, some best
practices should be followed to minimize the security risk from the
installation. The multiple security models implemented by SNMP cannot be fully
covered here so only the following general configuration advice can be offered:
<ul xmlns="http://www.w3.org/1999/xhtml"><li>use only SNMP version 3 security models and enable the use of authentication and encryption</li><li>write access to the MIB (Management Information Base) should be allowed only if necessary</li><li>all access to the MIB should be restricted following a principle of least privilege</li><li>network access should be limited to the maximum extent possible including restricting to expected network
addresses both in the configuration files and in the system firewall rules</li><li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
stations</li><li>ensure that permissions on the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd.conf</xhtml:code> configuration file (by default, in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp</xhtml:code>) are 640 or more restrictive</li><li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
</description>
<Rule id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" selected="false" severity="medium">
<title xml:lang="en-US">Configure SNMP Service to Use Only SNMPv3 or Newer </title>
<description xml:lang="en-US">
Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</xhtml:code>, removing any references to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rocommunity</xhtml:code>, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rwcommunity</xhtml:code>, or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">com2sec</xhtml:code>.
Upon doing that, restart the SNMP service:
<pre xmlns="http://www.w3.org/1999/xhtml"># service snmpd restart</pre>
</description>
<rationale xml:lang="en-US">
Earlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:164" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure only SNMPv3 or newer is used, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
There should be no output.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" selected="false" severity="medium">
<title xml:lang="en-US">Ensure Default Password Is Not Used</title>
<description xml:lang="en-US">
Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</xhtml:code>, remove default community string <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">public</xhtml:code>.
Upon doing that, restart the SNMP service:
<pre xmlns="http://www.w3.org/1999/xhtml"># service snmpd restart</pre>
</description>
<rationale xml:lang="en-US">
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:212" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To ensure the default password is not set, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep -v "^#" /etc/snmp/snmpd.conf| grep public</pre>
There should be no output.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_and_rpc">
<title xml:lang="en-US">NFS and RPC</title>
<description xml:lang="en-US">The Network File System is a popular distributed filesystem for
the Unix environment, and is very widely deployed. This section discusses the
circumstances under which it is possible to disable NFS and its dependencies,
and then details steps which should be taken to secure
NFS's configuration. This section is relevant to machines operating as NFS
clients, as well as to those operating as NFS servers.
</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_nfs">
<title xml:lang="en-US">Disable All NFS Services if Possible</title>
<description xml:lang="en-US">If there is not a reason for the system to operate as either an
NFS client or an NFS server, follow all instructions in this section to disable
subsystems required by NFS.
</description>
<warning xml:lang="en-US" override="false" category="general">The steps in this section will prevent a machine
from operating as either an NFS client or an NFS server. Only perform these
steps on machines which do not need NFS at all.</warning>
<Group id="xccdf_org.ssgproject.content_group_disabling_nfs_services">
<title xml:lang="en-US">Disable Services Used Only by NFS</title>
<description xml:lang="en-US">If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.</description>
<Rule id="xccdf_org.ssgproject.content_rule_service_nfslock_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Network File System Lock Service (nfslock)</title>
<description xml:lang="en-US">The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local machine is not configured to mount NFS filesystems then
this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfslock</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable nfslock.service</xhtml:pre>
</description>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Secure RPC Client Service (rpcgssd)</title>
<description xml:lang="en-US">
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcgssd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcgssd.service</xhtml:pre>
</description>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable RPC ID Mapping Service (rpcidmapd)</title>
<description xml:lang="en-US">The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcidmapd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcidmapd.service</xhtml:pre>
</description>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_disabling_netfs">
<title xml:lang="en-US">Disable netfs if Possible</title>
<description xml:lang="en-US">To determine if any network filesystems handled by netfs are
currently mounted on the system execute the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre>
If the command did not return any output then disable netfs.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_service_netfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Network File Systems (netfs)</title>
<description xml:lang="en-US">The netfs script manages the boot-time mounting of several types
of networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the
system somewhat against accidental or malicious changes to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>
and against flaws in the netfs script itself.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">netfs</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable netfs.service</xhtml:pre>
</description>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines">
<title xml:lang="en-US">Configure All Machines which Use NFS</title>
<description xml:lang="en-US">The steps in this section are appropriate for all machines which
run NFS, whether they operate as clients or as servers.</description>
<Group id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both">
<title xml:lang="en-US">Make Each Machine a Client or a Server, not Both</title>
<description xml:lang="en-US">If NFS must be used, it should be deployed in the simplest
configuration possible to avoid maintainability problems which may lead to
unnecessary security exposure. Due to the reliability and security problems
caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines
which act as NFS servers to also mount filesystems via NFS. At the least,
crossed mounts (the situation in which each of two servers mounts a filesystem
from the other) should never be used.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports">
<title xml:lang="en-US">Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)</title>
<description xml:lang="en-US">Firewalling should be done at each host and at the border
firewalls to protect the NFS daemons from remote access, since NFS servers
should never be accessible from outside the organization. However, by default
for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
dynamically at service startup time. Dynamic ports cannot be protected by port
filtering firewalls such as iptables.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Therefore, restrict each service to always use a given port, so that
firewalling can be done effectively. Note that, because of the way RPC is
implemented, it is not possible to disable the RPC Bind service even if ports
are assigned statically to all RPC services.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
In NFSv4, the mounting and locking protocols have been incorporated into the
protocol, and the server listens on the the well-known TCP port 2049. As such,
NFSv4 does not need to interact with the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcbind, lockd, and rpc.statd</xhtml:code>
daemons, which can and should be disabled in a pure NFSv4 environment. The
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpc.mountd</xhtml:code> daemon is still required on the NFS server to setup
exports, but is not involved in any over-the-wire operations.
</description>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" selected="false" severity="low">
<title xml:lang="en-US">Configure lockd to use static TCP port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd</xhtml:code> daemon to use a static TCP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">LOCKD_TCPPORT=lockd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd-port</xhtml:code> is a port which is not used by any other service on
your network.
</description>
<rationale xml:lang="en-US">
Restrict service to always use a given port, so that firewalling can be done
effectively.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" selected="false" severity="low">
<title xml:lang="en-US">Configure lockd to use static UDP port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd</xhtml:code> daemon to use a static UDP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">LOCKD_UDPPORT=lockd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd-port</xhtml:code> is a port which is not used by any other service on
your network.
</description>
<rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
to be done more effectively.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" selected="false" severity="low">
<title xml:lang="en-US">Configure statd to use static port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">statd</xhtml:code> daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">STATD_PORT=statd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">statd-port</xhtml:code> is a port which is not used by any other service on your network.
</description>
<rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
to be done more effectively.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" selected="false" severity="low">
<title xml:lang="en-US">Configure mountd to use static port</title>
<description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">mountd</xhtml:code> daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
<pre xmlns="http://www.w3.org/1999/xhtml">MOUNTD_PORT=statd-port</pre>
Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">mountd-port</xhtml:code> is a port which is not used by any other service on your network.
</description>
<rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
to be done more effectively.
</rationale>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configuring_clients">
<title xml:lang="en-US">Configure NFS Clients</title>
<description xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS clients.</description>
<Group id="xccdf_org.ssgproject.content_group_disabling_nfsd">
<title xml:lang="en-US">Disable NFS Server Daemons</title>
<description xml:lang="en-US">
There is no need to run the NFS server daemons <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> and
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> except on a small number of properly secured machines
designated as NFS servers. Ensure that these daemons are turned off on
clients.</description>
<Rule id="xccdf_org.ssgproject.content_rule_nfs_no_anonymous" selected="false" severity="low">
<title xml:lang="en-US">Specify UID and GID for Anonymous NFS Connections</title>
<description xml:lang="en-US">To specify the UID and GID for remote root users, edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> file and add the following for each export:
<pre xmlns="http://www.w3.org/1999/xhtml">
anonuid=-1
anongid=-1
</pre>
</description>
<rationale xml:lang="en-US">Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_nfs_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Network File System (nfs)</title>
<description xml:lang="en-US">The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local machine. If the local machine
is not designated as a NFS server then this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable nfs.service</xhtml:pre>
</description>
<rationale xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
<check system="ocil-transitional">
<check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
It is prudent to ensure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service is disabled in system boot, as well as
not currently running. First, run the following to verify the service is stopped:
<pre xmlns="http://www.w3.org/1999/xhtml">$ service nfs status</pre>
If the service is stopped or disabled, it will return the following:
<pre xmlns="http://www.w3.org/1999/xhtml">rpc.svcgssd is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped</pre>
To verify that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service is disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ chkconfig --list nfs</pre>
If properly configured, the output should look like:
<pre xmlns="http://www.w3.org/1999/xhtml">nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre>
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" selected="false" severity="low">
<title xml:lang="en-US">Disable Secure RPC Server Service (rpcsvcgssd)</title>
<description xml:lang="en-US">The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service can be disabled with the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcsvcgssd.service</xhtml:pre>
</description>
<rationale xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
<check system="ocil-transitional">
<check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service is disabled in system boot configuration, run the following command:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>rpcsvcgssd</xhtml:code> --list</xhtml:pre>
Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>rpcsvcgssd</xhtml:code> --list
<xhtml:code>rpcsvcgssd</xhtml:code> 0:off 1:off 2:off 3:off 4:off 5:off 6:off</xhtml:pre>
Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> is disabled through current runtime configuration:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service rpcsvcgssd status</xhtml:pre>
If the service is disabled the command will return the following output:
<xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd is stopped</xhtml:pre>
</check-content>
</check>
</Rule>
</Group>
<Group id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems">
<title xml:lang="en-US">Mount Remote Filesystems with Restrictive Options</title>
<description xml:lang="en-US">Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>. For each filesystem whose type
(column 3) is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs4</xhtml:code>, add the text
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">,nodev,nosuid</xhtml:code> to the list of mount options in column 4. If
appropriate, also add <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">,noexec</xhtml:code>.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
See the section titled "Restrict Partition Mount Options" for a description of
the effects of these options. In general, execution of files mounted via NFS
should be considered risky because of the possibility that an adversary could
intercept the request and substitute a malicious file. Allowing setuid files to
be executed from remote servers is particularly risky, both for this reason and
because it requires the clients to extend root-level trust to the NFS
server.</description>
<Rule id="xccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts" selected="false" severity="medium">
<title xml:lang="en-US">Mount Remote Filesystems with nodev</title>
<description xml:lang="en-US">
Add the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> option to the fourth column of
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code> for the line which controls mounting of
any NFS mounts.
</description>
<rationale xml:lang="en-US">Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users.</rationale>
<check system="ocil-transitional">
<check-export export-name="the setting does not show" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> option is configured for all NFS mounts, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ mount | grep nfs</pre>
All NFS mounts should show the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> setting in parentheses. This is not applicable if NFS is
not implemented.
</check-content>
</check>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts" selected="false" severity="medium">
<title xml:lang="en-US">Mount Remote Filesystems with nosuid</title>
<description xml:lang="en-US">
Add the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> option to the fourth column of
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code> for the line which controls mounting of
any NFS mounts.
</description>
<rationale xml:lang="en-US">NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.</rationale>
<check system="ocil-transitional">
<check-export export-name="the setting does not show" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> option is configured for all NFS mounts, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml">$ mount | grep nfs</pre>
All NFS mounts should show the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> setting in parentheses. This is not applicable if NFS is
not implemented.
</check-content>
</check>
</Rule>
</Group>
</Group>
<Group id="xccdf_org.ssgproject.content_group_nfs_configuring_servers">
<title xml:lang="en-US">Configure NFS Servers</title>
<description xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS servers.</description>
<Group id="xccdf_org.ssgproject.content_group_configure_exports_restrictively">
<title xml:lang="en-US">Configure the Exports File Restrictively</title>
<description xml:lang="en-US">Linux's NFS implementation uses the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> to control what filesystems
and directories may be accessed via NFS. (See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">exports(5)</xhtml:code> manpage for more information about the
format of this file.)
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The syntax of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">exports</xhtml:code> file is not necessarily checked fully on reload, and syntax errors
can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
the file.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
The syntax of each line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> is:
<pre xmlns="http://www.w3.org/1999/xhtml">/DIR host1(opt1,opt2) host2(opt3)</pre>
where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/DIR</xhtml:code> is a directory or filesystem to export, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hostN</xhtml:code> is an IP address, netblock,
hostname, domain, or netgroup to which to export, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">optN</xhtml:code> is an option.
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions">
<title xml:lang="en-US">Use Access Lists to Enforce Authorization Restrictions</title>
<description xml:lang="en-US">When configuring NFS exports, ensure that each export line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Authorized hosts can be specified in several different formats:
<ul xmlns="http://www.w3.org/1999/xhtml"><li>Name or alias that is recognized by the resolver</li><li>Fully qualified domain name</li><li>IP address</li><li>IP subnets in the format <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">address/netmask</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">address/CIDR</xhtml:code></li></ul>
</description>
</Group>
<Group id="xccdf_org.ssgproject.content_group_export_filesystems_read_only">
<title xml:lang="en-US">Export Filesystems Read-Only if Possible</title>
<description xml:lang="en-US">If a filesystem is being exported so that users can view the files in a convenient
fashion, but there is no need for users to edit those files, exporting the filesystem read-only
removes an attack vector against the server. The default filesystem export mode is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ro</xhtml:code>,
so do not specify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rw</xhtml:code> without a good reason.
</description>
</Group>
<Rule id="xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" selected="false" severity="low">
<title xml:lang="en-US">Use Root-Squashing on All Exports</title>
<description xml:lang="en-US">If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
Ensure that no line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains the option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">no_root_squash</xhtml:code>.
</description>
<rationale xml:lang="en-US">If the NFS server allows root access to local file systems from remote hosts, this
access could be used to compromise the system.
</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" selected="false" severity="low">
<title xml:lang="en-US">Restrict NFS Clients to Privileged Ports</title>
<description xml:lang="en-US">By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
To ensure that the default has not been changed, ensure no line in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains the option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure</xhtml:code>.
</description>
<rationale xml:lang="en-US">Allowing client requests to be made from ports higher than 1024 could allow a unprivileged
user to initiate an NFS connection. If the unprivileged user account has been compromised, an
attacker could gain access to data on the NFS server.</rationale>
</Rule>
<Rule id="xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" selected="false" severity="medium">
<title xml:lang="en-US">Ensure Insecure File Locking is Not Allowed</title>
<description xml:lang="en-US">By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure_locks</xhtml:code> option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure_locks</xhtml:code> option from the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code>.
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</reference>
<rationale xml:lang="en-US">Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.
</rationale>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg:def:210" href="ssg-fedora-oval.xml"/>
</check>
<check system="ocil-transitional">
<check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
<check-content>
To verify insecure file locking has been disabled, run the following command:
<pre xmlns="http://www.w3.org/1999/xhtml"># grep insecure_locks /etc/exports</pre>
</check-content>
</check>
</Rule>
</Group>
</Group>
</Group>
</Benchmark>
</ds:component>
<ds:component id="scap_org.open-scap_comp_output--ssg-fedora-cpe-oval.xml" timestamp="2015-03-17T12:23:34">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>python</oval:product_name>
<oval:product_version>2.6.6</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2011-09-21T13:44:00</oval:timestamp>
</generator>
<definitions><definition class="inventory" id="oval:ssg:def:100" version="1">
<metadata>
<title>Fedora release 19 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 19 (Schrödinger's Cat)</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 19 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:103" version="1">
<metadata>
<title>Fedora release 20 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 20 (Schrödinger's Cat)</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 20 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:104" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 6</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:105"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:ssg:tst:106"/>
</criteria>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:107" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 7</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:108"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:ssg:tst:109"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:ssg:tst:110"/>
</criteria>
</criteria>
</definition>
</definitions><tests><ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:101" version="1">
<ind:object object_ref="oval:ssg:obj:111"/>
<ind:state state_ref="oval:ssg:ste:112"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="oval:ssg:tst:102" version="1">
<linux:object object_ref="oval:ssg:obj:113"/>
<linux:state state_ref="oval:ssg:ste:114"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg:tst:105" version="1">
<linux:object object_ref="oval:ssg:obj:115"/>
<linux:state state_ref="oval:ssg:ste:116"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg:tst:106" version="1">
<linux:object object_ref="oval:ssg:obj:117"/>
<linux:state state_ref="oval:ssg:ste:118"/>
</linux:rpminfo_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:108" version="1">
<ind:object object_ref="oval:ssg:obj:119"/>
<ind:state state_ref="oval:ssg:ste:120"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg:tst:109" version="1">
<linux:object object_ref="oval:ssg:obj:121"/>
<linux:state state_ref="oval:ssg:ste:122"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg:tst:110" version="1">
<linux:object object_ref="oval:ssg:obj:123"/>
<linux:state state_ref="oval:ssg:ste:124"/>
</linux:rpminfo_test>
</tests><objects><ind:family_object id="oval:ssg:obj:111" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:113" version="1">
<linux:name>fedora-release</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:115" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:117" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:family_object id="oval:ssg:obj:119" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:121" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:123" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
</objects><states><ind:family_state id="oval:ssg:ste:112" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:114" version="1">
<linux:version operation="pattern match">^19$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:116" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:118" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<ind:family_state id="oval:ssg:ste:120" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:122" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:124" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
</states></oval_definitions>
</ds:component>
<ds:component id="scap_org.open-scap_comp_output--ssg-fedora-cpe-dictionary.xml" timestamp="2015-03-17T12:23:34">
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
<cpe-item name="cpe:/o:fedoraproject:fedora:19">
<title xml:lang="en-us">Fedora release 19 (Schrödinger's Cat)</title>
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml">oval:ssg:def:100</check>
</cpe-item>
</cpe-list>
</ds:component>
<ds:component id="scap_org.open-scap_comp_output--ssg-fedora-oval.xml" timestamp="2015-03-17T12:23:34"><oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:product_name>python</oval:product_name>
<oval:product_version>2.6.6</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2011-09-21T13:44:00</oval:timestamp>
</generator>
<definitions>
<definition class="compliance" id="oval:ssg:def:125" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Multiple NTP Servers for time synchronization should be
specified</description>
<reference source="galford" ref_id="20141107" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_multiple_servers" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:126"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:127" version="1">
<metadata>
<title>No nullok Option in /etc/pam.d/system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_empty_passwords" source="ssg"/></metadata>
<criteria>
<criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="oval:ssg:tst:128"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:129" version="1">
<metadata>
<title>Set Password minclass Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minclass should meet the minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minclass" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for minclass are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:131"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:100" version="1">
<metadata>
<title>Fedora release 19 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 19 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora19" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 19 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:132" version="1">
<metadata>
<title>Package openssh-server Removed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package openssh-server should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_openssh-server_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package openssh-server is removed" test_ref="oval:ssg:tst:133"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:134" version="1">
<metadata>
<title>Package dconf Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package dconf should be installed.</description>
<reference source="galford" ref_id="20140424" ref_url="test_attestation"/>
<reference ref_id="package_dconf_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package dconf is installed" test_ref="oval:ssg:tst:135"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:136" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The maximum password age policy should meet minimum requirements.</description>
<reference source="JL" ref_id="RHEL6_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150130" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150130" ref_url="test_attestation"/>
<reference ref_id="accounts_maximum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:137"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:138" version="1">
<metadata>
<title>Verify that System Executables Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
/usr/local/sbin, and objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:139"/>
<criterion test_ref="oval:ssg:tst:140"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:141" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH idle timeout interval should be set to an
appropriate value.</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140224" ref_url="test_attestation" /> -->
<reference ref_id="sshd_set_idle_timeout" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:143"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:144" version="1">
<metadata>
<title>Enable GNOME3 Login Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GNOME3 Login warning banner.</description>
<reference source="galford" ref_id="20140823" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_banner_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Enable GUI banner" test_ref="oval:ssg:tst:146"/>
<criterion comment="Prevent user from disabling banner" test_ref="oval:ssg:tst:147"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:148" version="1">
<metadata>
<title>Verify that Shared Library Files Have Root Ownership</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are owned by root.
</description>
<reference ref_id="file_ownership_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:149"/>
<criterion test_ref="oval:ssg:tst:150"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:151" version="2">
<metadata>
<title>Disable Prelinking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Fedora 20</platform>
</affected>
<description>The prelinking feature can interfere with the operation of
checksum integrity tools (e.g. AIDE), mitigates the protection provided
by ASLR, and requires additional CPU cycles by software upgrades.
</description>
<reference source="JL" ref_id="20140313" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140313" ref_url="test_attestation" /> -->
<reference ref_id="disable_prelink" source="ssg"/></metadata>
<criteria>
<criterion comment="Ensure prelinking is disabled" test_ref="oval:ssg:tst:152"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:153" version="2">
<metadata>
<title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The password hashing algorithm should be set correctly in /etc/login.defs.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="set_password_hashing_algorithm_logindefs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:154"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:155" version="1">
<metadata>
<title>Proper Permissions User Home Directories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions should be set correctly for the home directories for all user accounts.</description>
<reference source="JL" ref_id="RHEL6_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141106" ref_url="test_attestation"/>
<reference source="JL" ref_id="Fedora20_20141106" ref_url="test_attestation"/>
<reference ref_id="file_permissions_home_dirs" source="ssg"/></metadata>
<criteria>
<criterion comment="home directories" test_ref="oval:ssg:tst:156" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:157" version="3">
<metadata>
<title>Lock out account after failed login attempts</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The number of allowed failed logins should be set correctly.</description>
<reference source="JL" ref_id="RHEL6_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150122" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150122" ref_url="test_attestation"/>
<reference ref_id="accounts_passwords_pam_faillock_deny" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:158" comment="pam_faillock.so preauth silent set in system-auth"/>
<criterion test_ref="oval:ssg:tst:159" comment="pam_faillock.so authfail deny value set in system-auth"/>
<criterion test_ref="oval:ssg:tst:160" comment="pam_faillock.so set in account phase of system-auth"/>
<criterion test_ref="oval:ssg:tst:161" comment="pam_faillock.so preauth silent set in password-auth"/>
<criterion test_ref="oval:ssg:tst:162" comment="pam_faillock.so authfail deny value set in password-auth"/>
<criterion test_ref="oval:ssg:tst:163" comment="pam_faillock.so set in account phase of password-auth"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:164" version="2">
<metadata>
<title>SNMP use newer protocols</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP version 1 and 2c must not be enabled.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_use_newer_protocol" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP protocols" test_ref="oval:ssg:tst:166"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:167" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>To trace malicious activity facilitated by the FTP
service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log format.
</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_log_transactions" source="ssg"/></metadata>
<criteria comment="FTP is not being used or the conditions are met" operator="OR">
<extend_definition comment="vsftp package is not installed" definition_ref="oval:ssg:def:168" negate="true"/>
<criteria comment="FTP configuration conditions are not set or are met" operator="AND">
<criterion comment="log ftp transactions enable" test_ref="oval:ssg:tst:169"/>
<criterion comment="log ftp transactions format" test_ref="oval:ssg:tst:170"/>
<criterion comment="log ftp transactions protocol" test_ref="oval:ssg:tst:171"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:172" version="1">
<metadata>
<title>Implement Blank Screensaver</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The GNOME3 screensaver should be blank.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_mode_blank" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable blank screensaver and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver is blank" test_ref="oval:ssg:tst:173"/>
<criterion comment="screensaver prevent user from changing mode" test_ref="oval:ssg:tst:174"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:175" version="2">
<metadata>
<title>Kernel Runtime Parameter "kernel.exec-shield" Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.</description>
<reference source="galford" ref_id="201410" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_exec_shield" source="ssg"/></metadata>
<criteria operator="OR">
<criteria operator="AND" comment="system is RHEL6">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="32-bit system" definition_ref="oval:ssg:def:178"/>
<criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:176"/>
<criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg:tst:177"/>
</criteria>
<criteria operator="AND">
<extend_definition comment="64-bit system" definition_ref="oval:ssg:def:179"/>
<criterion comment="NX is supported and is not disabled" test_ref="oval:ssg:tst:180"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:181" version="1">
<metadata>
<title>Package ntp Installed</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package ntp should be installed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_ntp_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package ntp is installed" test_ref="oval:ssg:tst:182"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:165" version="1">
<metadata>
<title>Package net-snmp Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The RPM package net-snmp should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
<reference ref_id="package_net-snmp_removed" source="ssg"/></metadata>
<criteria>
<criterion comment="package net-snmp is removed" test_ref="oval:ssg:tst:183"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:179" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86_64 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86_64 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86_64" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg:tst:184"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:185" version="1">
<metadata>
<title>Set Password retry Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password retry should meet minimum
requirements</description>
<reference source="swells" ref_id="20140925" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_retry" source="ssg"/></metadata>
<criteria operator="OR" comment="Conditions for retry are satisfied">
<criteria operator="AND" comment="system is RHEL6 with pam_cracklib configured">
<extend_definition comment="RHEL6 installed" definition_ref="oval:ssg:def:104"/>
<criterion comment="rhel6 pam_cracklib" test_ref="oval:ssg:tst:186"/>
</criteria>
<criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">
<extend_definition comment="RHEL7 installed" definition_ref="oval:ssg:def:107"/>
<criterion comment="rhel7 pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
<criteria operator="AND" comment="system is Fedora with pam_pwquality configured">
<extend_definition comment="Fedora installed" definition_ref="oval:ssg:def:100"/>
<criterion comment="Fedora pam_pwquality" test_ref="oval:ssg:tst:187"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:188" version="1">
<metadata>
<title>Package Antivirus Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Antivirus software should be installed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="install_antivirus" source="ssg"/></metadata>
<criteria comment="Antivirus is not being used or conditions are met">
<criterion comment="Linuxshield AntiVirus package is installed" test_ref="oval:ssg:tst:189"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:190" version="1">
<metadata>
<title>Set Password minlen Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minlen should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_minlen" source="ssg"/></metadata>
<criteria operator="AND" comment="system uses pam_pwquality configured">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pam_pwquality" test_ref="oval:ssg:tst:191"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:103" version="1">
<metadata>
<title>Fedora release 20 (Schrödinger's Cat)</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is
Fedora release 20 (Schrödinger's Cat)</description>
<reference ref_id="installed_OS_is_fedora20" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criterion comment="Fedora release 20 is installed" test_ref="oval:ssg:tst:102"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:192" version="1">
<metadata>
<title>File grub.cfg Permissions</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_permissions_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:193"/>
<criterion test_ref="oval:ssg:tst:194"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:195" version="1">
<metadata>
<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Ensure all yum repositories utilize signature checking.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7 <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_never_disabled" source="ssg"/></metadata>
<criteria comment="ensure all yum repositories utilize signiature checking" operator="AND">
<criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files" test_ref="oval:ssg:tst:196"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:197" version="1">
<metadata>
<title>Enable GUI Warning Banner</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Enable the GUI warning banner.</description>
<reference source="galford" ref_id="20140902" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_login_banner_text" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Prevent user from changing banner" test_ref="oval:ssg:tst:198"/>
<criterion comment="Login banner is correctly set" test_ref="oval:ssg:tst:199"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:200" version="1">
<metadata>
<title>Verify No netrc Files Exist</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="no_netrc_files" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:201" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:178" version="1">
<!-- Note that this does not meet requirements for class=inventory as
that only tests for patches per 5.10.1 Revision 1 -->
<metadata>
<title>Test for x86 Architecture</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>Generic test for x86 architecture to be used by other tests</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="system_info_architecture_x86" source="ssg"/></metadata>
<criteria>
<criterion comment="Generic test for x86 architecture" test_ref="oval:ssg:tst:202"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:203" version="1">
<metadata>
<title>Specify a Remote NTP Server for Time Data</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>A remote NTP Server for time synchronization should be
specified (and dependencies are met)</description>
<reference source="galford" ref_id="20141111" ref_url="test_attestation"/>
<reference ref_id="ntpd_specify_remote_server" source="ssg"/></metadata>
<criteria comment="ntp.conf conditions are met">
<criterion test_ref="oval:ssg:tst:204"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:205" version="1">
<metadata>
<title>Set ClientAliveCountMax for User Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_set_keepalive" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg:tst:206"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:207" version="1">
<metadata>
<title>System Accounts Do Not Run a Shell</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The root account is the only system account that should have a login shell.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="no_shelllogin_for_systemaccounts" source="ssg"/></metadata>
<criteria>
<criterion comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" test_ref="oval:ssg:tst:208"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:168" version="1">
<metadata>
<title>Package vsftpd Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package vsftpd should be installed.</description>
<reference source="JL" ref_id="20140522" ref_url="test_attestation"/>
<reference ref_id="package_vsftpd_installed" source="ssg"/></metadata>
<criteria>
<criterion comment="package vsftpd is installed" test_ref="oval:ssg:tst:209"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:210" version="1">
<metadata>
<title>Ensure insecure_locks is disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Allowing insecure file locking could allow for sensitive
data to be viewed or edited by an unauthorized user.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="no_insecure_locks_exports" source="ssg"/></metadata>
<criteria>
<criterion comment="Check for insecure NFS locks in /etc/exports" test_ref="oval:ssg:tst:211"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:212" version="2">
<metadata>
<title>SNMP default communities disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>SNMP default communities must be removed.</description>
<reference source="galford" ref_id="20140813" ref_url="test_attestation"/>
<reference ref_id="snmpd_not_default_password" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="SMNP installed" definition_ref="oval:ssg:def:165"/>
<criterion comment="SNMP communities" test_ref="oval:ssg:tst:213"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:214" version="2">
<metadata>
<title>Set Password ucredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ucredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ucredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ucredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:215"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:130" version="1">
<metadata>
<title>Check pam_pwquality Existence in system-auth</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Check that pam_pwquality.so exists in system-auth</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_pwquality" source="ssg"/></metadata>
<criteria>
<criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg:tst:216"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:217" version="1">
<metadata>
<title>Disable GNOME3 Automounting</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_automount" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable automount in GNOME3" test_ref="oval:ssg:tst:218"/>
<criterion comment="Disable automount-open in GNOME3" test_ref="oval:ssg:tst:219"/>
<criterion comment="Disable autorun in GNOME3" test_ref="oval:ssg:tst:220"/>
<criterion comment="Prevent user from changing automount setting" test_ref="oval:ssg:tst:221"/>
<criterion comment="Prevent user from changing automount-open setting" test_ref="oval:ssg:tst:222"/>
<criterion comment="Prevent user from changing autorun setting" test_ref="oval:ssg:tst:223"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:142" version="1">
<metadata>
<title>Service sshd Disabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The sshd service should be disabled.
</description>
<reference ref_id="service_sshd_disabled" source="ssg"/></metadata>
<criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
<extend_definition comment="openssh-server removed" definition_ref="oval:ssg:def:132"/>
<criterion comment="sshd disabled in multi-user.target" test_ref="oval:ssg:tst:224"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:225" version="1">
<metadata>
<title>Limit Password Reuse</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The passwords to remember should be set correctly.</description>
<reference source="SDW" ref_id="20131025" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_unix_remember" source="ssg"/></metadata>
<criteria>
<criterion comment="remember parameter is set to 0" test_ref="oval:ssg:tst:226"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:227" version="1">
<metadata>
<title>Disable Empty Passwords</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Remote connections from accounts with empty passwords should
be disabled (and dependencies are met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_empty_passwords" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitEmptyPasswords in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:228"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:104" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 6</description>
<reference ref_id="installed_OS_is_rhel6" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:101"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="oval:ssg:tst:105"/>
<criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="oval:ssg:tst:106"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:229" version="2">
<metadata>
<title>Set Password ocredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password ocredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_ocredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for ocredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:230"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:231" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password expiration warning age should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_warn_age_login_defs" source="ssg"/></metadata>
<criteria>
<criterion test_ref="oval:ssg:tst:232"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:233" version="1">
<metadata>
<title>Verify that System Executables Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, and /usr/local/sbin, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_binary_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:234"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:235" version="1">
<metadata>
<title>Set Password maxrepeat Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password maxrepeat should meet minimum
requirements using pam_pwquality</description>
<reference source="galford" ref_id="20141006" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_maxrepeat" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for maxrepeat are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:236"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:237" version="1">
<metadata>
<title>File grub.cfg Owned By root User</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_user_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:238"/>
<criterion test_ref="oval:ssg:tst:239"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:240" version="1">
<metadata>
<title>Verify that Shared Library Files Have Restrictive Permissions</title>
<affected family="unix">
<platform>Fedora 19</platform>
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are not group-writable or world-writable.
</description>
<reference ref_id="file_permissions_library_dirs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:241"/>
<criterion test_ref="oval:ssg:tst:242"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:243" version="1">
<metadata>
<title>Disable root Login via SSH</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Root login via SSH should be disabled (and dependencies are
met)</description>
<reference source="JL" ref_id="20140414" ref_url="test_attestation"/>
<reference ref_id="sshd_disable_root_login" source="ssg"/></metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="oval:ssg:def:142"/>
<criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg:tst:244"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:245" version="1">
<metadata>
<title>Restrict Serial Port Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to serial port interfaces helps
ensure accountability for actions taken on the system using the root
account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="restrict_serial_port_logins" source="ssg"/></metadata>
<criteria>
<criterion comment="serial ports /etc/securetty" test_ref="oval:ssg:tst:246" negate="true"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:247" version="2">
<metadata>
<title>Set Password difok Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password difok should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_difok" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for difok are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:248"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:249" version="1">
<metadata>
<title>Ensure Yum gpgcheck Globally Activated</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- rhel7: <reference source="SDW" ref_id="20131223" ref_url="test_attestation" /> -->
<reference ref_id="ensure_gpgcheck_globally_activated" source="ssg"/></metadata>
<criteria>
<criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="oval:ssg:tst:250"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:251" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password minimum length should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_password_minlen_login_defs" source="ssg"/></metadata>
<criteria operator="AND">
<criterion test_ref="oval:ssg:tst:252"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:253" version="2">
<metadata>
<title>System Login Banner Compliance</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The system login banner text should be set correctly.</description>
<reference source="MED" ref_id="20130819" ref_url="test_attestation"/>
<reference ref_id="banner_etc_issue" source="ssg"/></metadata>
<criteria>
<criterion comment="/etc/issue is set appropriately" test_ref="oval:ssg:tst:254"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:255" version="1">
<metadata>
<title>Disable All GNOME3 Thumbnailers</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The system's default desktop environment, GNOME3, uses a
number of different thumbnailer programs to generate thumbnails for any
new or modified content in an opened folder. Disable the execution of
these thumbnail applications within GNOME3.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_disable_thumbnailers" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Disable Gnome3 Thumbnailers and prevent user from enabling" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="Disable thumbnailers in GNOME3" test_ref="oval:ssg:tst:256"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:257"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:145" version="1">
<metadata>
<title>Implement Local DB for DConf User Profile</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The DConf User profile should have the local DB configured.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="enable_dconf_user_profile" source="ssg"/></metadata>
<criteria>
<criterion comment="dconf user profile exists" test_ref="oval:ssg:tst:258"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:259" version="2">
<metadata>
<title>Kernel Runtime Parameter IPv6 Check</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Disables IPv6 for all network interfaces.</description>
<reference source="galford" ref_id="20141015" ref_url="test_attestation"/>
<reference ref_id="sysctl_kernel_ipv6_disable" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Disable IPv6 runtime check" test_ref="oval:ssg:tst:260"/>
<criterion comment="Disable IPv6 in sysctl.d conf file" test_ref="oval:ssg:tst:261"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:262" version="2">
<metadata>
<title>Set Password lcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password lcredit should meet minimum requirements</description>
<reference source="swells" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_lcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for lcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:263"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:264" version="1">
<metadata>
<title>Set Boot Loader Password</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub2 boot loader should have password protection enabled.</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="bootloader_password" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="make sure a password is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:265"/>
<criterion comment="make sure a superuser is defined in /etc/grub2.cfg" test_ref="oval:ssg:tst:266"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:267" version="1">
<metadata>
<title>All Password Hashes Shadowed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>All password hashes should be shadowed.</description>
<reference source="swells" ref_id="20130918" ref_url="test_attestation"/>
<reference ref_id="accounts_password_all_shadowed" source="ssg"/></metadata>
<criteria>
<criterion comment="password hashes are shadowed" test_ref="oval:ssg:tst:268"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:269" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Idle Activation</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen saver should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_activation_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle activation has been configured" test_ref="oval:ssg:tst:270"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:271"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:272" version="1">
<metadata>
<title>Service ntpd Enabled</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>
The ntpd service should be enabled.
</description>
<reference ref_id="service_ntpd_enabled" source="ssg"/></metadata>
<criteria comment="package ntp installed and service ntpd is configured to start" operator="AND">
<extend_definition comment="ntp installed" definition_ref="oval:ssg:def:181"/>
<criterion comment="ntpd multi-user.target" test_ref="oval:ssg:tst:273"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:274" version="2">
<metadata>
<title>Write permissions are disabled for group and other in all
directories in Root's Path</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Check each directory in root's path and make use it does
not grant write permission to group and other</description>
<reference source="JL" ref_id="RHEL6_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20141119" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20141119" ref_url="test_attestation"/>
<reference ref_id="accounts_root_path_dirs_no_write" source="ssg"/></metadata>
<criteria comment="Check that write permission to group and other in root's path is denied">
<criterion comment="Check for write permission to group and other in root's path" test_ref="oval:ssg:tst:275"/>
</criteria>
</definition>
<definition class="inventory" id="oval:ssg:def:107" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is
Red Hat Enterprise Linux 7</description>
<reference ref_id="installed_OS_is_rhel7" source="ssg"/></metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg:tst:108"/>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 7 Workstation is installed" test_ref="oval:ssg:tst:109"/>
<criterion comment="Red Hat Enterprise Linux 7 Server is installed" test_ref="oval:ssg:tst:110"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:276" version="1">
<metadata>
<title>UID 0 Belongs Only To Root</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Only the root account should be assigned a user id of 0.</description>
<reference source="MED" ref_id="20130807" ref_url="test_attestation"/>
<!-- Fedora 20: <reference source="JL" ref_id="20140303" ref_url="test_attestation" /> -->
<reference ref_id="accounts_no_uid_except_zero" source="ssg"/></metadata>
<criteria>
<criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="oval:ssg:tst:277"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:278" version="1">
<metadata>
<title>File grub.cfg Owned By root Group </title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</description>
<reference source="galford" ref_id="20140909" ref_url="test_attestation"/>
<reference ref_id="file_group_owner_grub2_cfg" source="ssg"/></metadata>
<criteria operator="OR">
<criterion test_ref="oval:ssg:tst:279"/>
<criterion test_ref="oval:ssg:tst:280"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:281" version="1">
<metadata>
<title>Restrict Virtual Console Root Logins</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system using the
root account.</description>
<reference source="galford" ref_id="20141114" ref_url="test_attestation"/>
<reference ref_id="securetty_root_login_console_only" source="ssg"/></metadata>
<criteria>
<criterion comment="virtual consoles /etc/securetty" test_ref="oval:ssg:tst:282"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:283" version="3">
<metadata>
<title>Set Password Expiration Parameters</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The minimum password age policy should be set appropriately.</description>
<reference source="JL" ref_id="RHEL6_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="RHEL7_20150201" ref_url="test_attestation"/>
<reference source="JL" ref_id="FEDORA20_20150201" ref_url="test_attestation"/>
<reference ref_id="accounts_minimum_age_login_defs" source="ssg"/></metadata>
<criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
<criterion test_ref="oval:ssg:tst:284"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:285" version="1">
<metadata>
<title>Set Password dcredit Requirements</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The password dcredit should meet minimum requirements</description>
<reference source="galford" ref_id="20141010" ref_url="test_attestation"/>
<reference ref_id="accounts_password_pam_dcredit" source="ssg"/></metadata>
<criteria operator="AND" comment="conditions for dcredit are satisfied">
<extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg:def:130"/>
<criterion comment="pwquality.conf" test_ref="oval:ssg:tst:286"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:287" version="1">
<metadata>
<title>Enable GNOME3 Screensaver Lock After Idle Period</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>Idle activation of the screen lock should be enabled.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_lock_enabled" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="screensaver lock is enabled" test_ref="oval:ssg:tst:288"/>
<criterion comment="screensaver lock prevent user from changing" test_ref="oval:ssg:tst:289"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
<criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg:tst:290"/>
<criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg:tst:291"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:292" version="1">
<metadata>
<title>Banner for FTP Users</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>This setting will cause the system greeting banner to be
used for FTP connections as well.</description>
<reference source="galford" ref_id="20140812" ref_url="test_attestation"/>
<reference ref_id="ftp_present_banner" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="vsftpd package is not installed" negate="true" definition_ref="oval:ssg:def:168"/>
<criterion comment="Banner for FTP Users" test_ref="oval:ssg:tst:293"/>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:294" version="1">
<metadata>
<title>Configure the GNOME3 GUI Screen locking</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The allowed period of inactivity before the screensaver is activated.</description>
<reference source="galford" ref_id="20140824" ref_url="test_attestation"/>
<reference ref_id="dconf_gnome_screensaver_idle_delay" source="ssg"/></metadata>
<criteria operator="OR">
<extend_definition comment="dconf installed" definition_ref="oval:ssg:def:134" negate="true"/>
<criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
<extend_definition comment="dconf user profile exists" definition_ref="oval:ssg:def:145"/>
<criterion comment="idle delay has been configured" test_ref="oval:ssg:tst:295"/>
<criterion comment="prevent user from changing idle delay" test_ref="oval:ssg:tst:296"/>
<criterion comment="idle delay is set correctly" test_ref="oval:ssg:tst:297"/>
</criteria>
</criteria>
</definition>
<definition class="compliance" id="oval:ssg:def:298" version="1">
<metadata>
<title>Require Authentication for Single-User Mode</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform>
</affected>
<description>The requirement for a password to boot into single-user mode
should be configured correctly.</description>
<reference source="galford" ref_id="20140926" ref_url="test_attestation"/>
<reference ref_id="require_singleuser_auth" source="ssg"/></metadata>
<criteria operator="AND">
<criterion comment="Conditions are satisfied" test_ref="oval:ssg:tst:299"/>
<criterion test_ref="oval:ssg:tst:300"/>
<criterion test_ref="oval:ssg:tst:301" negate="true"/>
<criterion test_ref="oval:ssg:tst:302" negate="true"/>
</criteria>
</definition>
</definitions>
<tests>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:126" version="1">
<ind:object object_ref="oval:ssg:obj:303"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="oval:ssg:tst:128" version="1">
<ind:object object_ref="oval:ssg:obj:304"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:131" version="1">
<ind:object object_ref="oval:ssg:obj:305"/>
<ind:state state_ref="oval:ssg:ste:306"/>
</ind:textfilecontent54_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:101" version="1">
<ind:object object_ref="oval:ssg:obj:111"/>
<ind:state state_ref="oval:ssg:ste:112"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release is version 19" id="oval:ssg:tst:102" version="1">
<linux:object object_ref="oval:ssg:obj:113"/>
<linux:state state_ref="oval:ssg:ste:114"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:133" version="1" comment="package openssh-server is removed">
<linux:object object_ref="oval:ssg:obj:307"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:135" version="1" comment="package dconf is installed">
<linux:object object_ref="oval:ssg:obj:308"/>
</linux:rpminfo_test>
<ind:variable_test id="oval:ssg:tst:137" check="all" comment="The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:309"/>
<ind:state state_ref="oval:ssg:ste:310"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary directories uid root" id="oval:ssg:tst:139" version="1">
<unix:object object_ref="oval:ssg:obj:311"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files uid root" id="oval:ssg:tst:140" version="1">
<unix:object object_ref="oval:ssg:obj:312"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="oval:ssg:tst:143" version="1">
<ind:object object_ref="oval:ssg:obj:313"/>
<ind:state state_ref="oval:ssg:ste:314"/>
<ind:state state_ref="oval:ssg:ste:315"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner is enabled" id="oval:ssg:tst:146" version="1">
<ind:object object_ref="oval:ssg:obj:316"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:147" version="1">
<ind:object object_ref="oval:ssg:obj:317"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="oval:ssg:tst:149" version="1">
<unix:object object_ref="oval:ssg:obj:318"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="oval:ssg:tst:150" version="1">
<unix:object object_ref="oval:ssg:obj:319"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests whether prelinking is disabled" id="oval:ssg:tst:152" version="1">
<ind:object object_ref="oval:ssg:obj:320"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:154" check="all" comment="The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:321"/>
<ind:state state_ref="oval:ssg:ste:322"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="oval:ssg:tst:156" version="1">
<unix:object object_ref="oval:ssg:obj:323"/>
<unix:state state_ref="oval:ssg:ste:324"/>
</unix:file_test>
<ind:textfilecontent54_test id="oval:ssg:tst:158" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:325"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:159" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:327"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:160" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth" version="1">
<ind:object object_ref="oval:ssg:obj:328"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:161" check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:329"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:162" check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" version="1">
<ind:object object_ref="oval:ssg:obj:330"/>
<ind:state state_ref="oval:ssg:ste:326"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="oval:ssg:tst:163" check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth" version="1">
<ind:object object_ref="oval:ssg:obj:331"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:166" version="1">
<ind:object object_ref="oval:ssg:obj:332"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:169" version="1">
<ind:object object_ref="oval:ssg:obj:333"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:170" version="1">
<ind:object object_ref="oval:ssg:obj:334"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg:tst:171" version="1">
<ind:object object_ref="oval:ssg:obj:335"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver mode is blank" id="oval:ssg:tst:173" version="1">
<ind:object object_ref="oval:ssg:obj:336"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="blank screensaver cannot be changed by user" id="oval:ssg:tst:174" version="1">
<ind:object object_ref="oval:ssg:obj:337"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter kernel.exec-shield set to 1" id="oval:ssg:tst:176" version="1">
<unix:object object_ref="oval:ssg:obj:338"/>
<unix:state state_ref="oval:ssg:ste:339"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel.exec-shield static configuration" id="oval:ssg:tst:177" version="1">
<ind:object object_ref="oval:ssg:obj:340"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NX is disabled" id="oval:ssg:tst:180" version="1">
<ind:object object_ref="oval:ssg:obj:341"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:182" version="1" comment="package ntp is installed">
<linux:object object_ref="oval:ssg:obj:342"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg:tst:183" version="1" comment="package net-snmp is removed">
<linux:object object_ref="oval:ssg:obj:343"/>
</linux:rpminfo_test>
<unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg:tst:184" version="1">
<unix:object object_ref="oval:ssg:obj:344"/>
<unix:state state_ref="oval:ssg:ste:345"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:186" version="1">
<ind:object object_ref="oval:ssg:obj:346"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:187" version="1">
<ind:object object_ref="oval:ssg:obj:348"/>
<ind:state state_ref="oval:ssg:ste:347"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:189" version="1" comment="AntiVirus package is installed">
<linux:object object_ref="oval:ssg:obj:349"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:191" version="1">
<ind:object object_ref="oval:ssg:obj:350"/>
<ind:state state_ref="oval:ssg:ste:351"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg:tst:193" version="1">
<unix:object object_ref="oval:ssg:obj:352"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:194" version="1">
<unix:object object_ref="oval:ssg:obj:354"/>
<unix:state state_ref="oval:ssg:ste:353"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of gpgcheck=0 in /etc/yum.repos.d/ files" id="oval:ssg:tst:196" version="1">
<ind:object object_ref="oval:ssg:obj:355"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg:tst:198" version="1">
<ind:object object_ref="oval:ssg:obj:356"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="login banner text is correctly set" id="oval:ssg:tst:199" version="1">
<ind:object object_ref="oval:ssg:obj:357"/>
<ind:state state_ref="oval:ssg:ste:358"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="oval:ssg:tst:201" version="1">
<unix:object object_ref="oval:ssg:obj:359"/>
</unix:file_test>
<unix:uname_test check="all" comment="32 bit architecture" id="oval:ssg:tst:202" version="1">
<unix:object object_ref="oval:ssg:obj:360"/>
<unix:state state_ref="oval:ssg:ste:361"/>
</unix:uname_test>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one NTP server is set" id="oval:ssg:tst:204" version="1">
<ind:object object_ref="oval:ssg:obj:362"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:206" version="1">
<ind:object object_ref="oval:ssg:obj:363"/>
<ind:state state_ref="oval:ssg:ste:364"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for the presence of login shells (not /sbin/nologin) for system accounts in /etc/passwd file" id="oval:ssg:tst:208" version="1">
<ind:object object_ref="oval:ssg:obj:365"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg:tst:209" version="1" comment="package vsftpd is installed">
<linux:object object_ref="oval:ssg:obj:366"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the insecure locks in /etc/exports" id="oval:ssg:tst:211" version="1">
<ind:object object_ref="oval:ssg:obj:367"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg:tst:213" version="1">
<ind:object object_ref="oval:ssg:obj:368"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:215" version="1">
<ind:object object_ref="oval:ssg:obj:369"/>
<ind:state state_ref="oval:ssg:ste:370"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg:tst:216" version="1">
<ind:object object_ref="oval:ssg:obj:371"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount in GNOME3" id="oval:ssg:tst:218" version="1">
<ind:object object_ref="oval:ssg:obj:372"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount setting" id="oval:ssg:tst:221" version="1">
<ind:object object_ref="oval:ssg:obj:373"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount-open in GNOME" id="oval:ssg:tst:219" version="1">
<ind:object object_ref="oval:ssg:obj:374"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount-open setting" id="oval:ssg:tst:222" version="1">
<ind:object object_ref="oval:ssg:obj:375"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable autorun in GNOME" id="oval:ssg:tst:220" version="1">
<ind:object object_ref="oval:ssg:obj:376"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing autorun setting" id="oval:ssg:tst:223" version="1">
<ind:object object_ref="oval:ssg:obj:377"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="none_exist" comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:224" version="1">
<unix:object object_ref="oval:ssg:obj:378"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="remember is set in /etc/pam.d/system-auth" id="oval:ssg:tst:226" version="1">
<ind:object object_ref="oval:ssg:obj:379"/>
<ind:state state_ref="oval:ssg:ste:380"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitEmptyPasswords[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:228" version="1">
<ind:object object_ref="oval:ssg:obj:381"/>
</ind:textfilecontent54_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg:tst:105" version="1">
<linux:object object_ref="oval:ssg:obj:115"/>
<linux:state state_ref="oval:ssg:ste:116"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg:tst:106" version="1">
<linux:object object_ref="oval:ssg:obj:117"/>
<linux:state state_ref="oval:ssg:ste:118"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:230" version="1">
<ind:object object_ref="oval:ssg:obj:382"/>
<ind:state state_ref="oval:ssg:ste:383"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:232" check="all" comment="The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:384"/>
<ind:state state_ref="oval:ssg:ste:385"/>
</ind:variable_test>
<unix:file_test check="all" check_existence="none_exist" comment="binary files go-w" id="oval:ssg:tst:234" version="1">
<unix:object object_ref="oval:ssg:obj:386"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:236" version="1">
<ind:object object_ref="oval:ssg:obj:387"/>
<ind:state state_ref="oval:ssg:ste:388"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:238" version="1">
<unix:object object_ref="oval:ssg:obj:389"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:239" version="1">
<unix:object object_ref="oval:ssg:obj:391"/>
<unix:state state_ref="oval:ssg:ste:390"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="oval:ssg:tst:241" version="1">
<unix:object object_ref="oval:ssg:obj:392"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="oval:ssg:tst:242" version="1">
<unix:object object_ref="oval:ssg:obj:393"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitRootLogin[\s]*(<:nocomment:>*) setting in the /etc/ssh/sshd_config file" id="oval:ssg:tst:244" version="1">
<ind:object object_ref="oval:ssg:obj:394"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="serial ports /etc/securetty" id="oval:ssg:tst:246" version="1">
<ind:object object_ref="oval:ssg:obj:395"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:248" version="1">
<ind:object object_ref="oval:ssg:obj:396"/>
<ind:state state_ref="oval:ssg:ste:397"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="oval:ssg:tst:250" version="1">
<ind:object object_ref="oval:ssg:obj:398"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:252" check="all" comment="The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:399"/>
<ind:state state_ref="oval:ssg:ste:400"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="oval:ssg:tst:254" version="1">
<ind:object object_ref="oval:ssg:obj:401"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable thumbnailers in GNOME3" id="oval:ssg:tst:256" version="1">
<ind:object object_ref="oval:ssg:obj:402"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot enable thumbnailers " id="oval:ssg:tst:257" version="1">
<ind:object object_ref="oval:ssg:obj:403"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="dconf user profile exists" id="oval:ssg:tst:258" version="1">
<ind:object object_ref="oval:ssg:obj:404"/>
</ind:textfilecontent54_test>
<unix:sysctl_test check="all" check_existence="all_exist" comment="Disable IPv6 runtime check" id="oval:ssg:tst:260" version="1">
<unix:object object_ref="oval:ssg:obj:405"/>
<unix:state state_ref="oval:ssg:ste:406"/>
</unix:sysctl_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable IPv6 in sysctl.d conf file" id="oval:ssg:tst:261" version="1">
<ind:object object_ref="oval:ssg:obj:407"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:263" version="1">
<ind:object object_ref="oval:ssg:obj:408"/>
<ind:state state_ref="oval:ssg:ste:409"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in /etc/grub2.cfg files. Superuser is not root, admin, or administrator" id="oval:ssg:tst:266" version="1">
<ind:object object_ref="oval:ssg:obj:410"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /etc/grub2.cfg" id="oval:ssg:tst:265" version="1">
<ind:object object_ref="oval:ssg:obj:411"/>
</ind:textfilecontent54_test>
<unix:password_test check="all" comment="password hashes are shadowed" id="oval:ssg:tst:268" version="1">
<unix:object object_ref="oval:ssg:obj:412"/>
<unix:state state_ref="oval:ssg:ste:413"/>
</unix:password_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="idle delay is configured" id="oval:ssg:tst:270" version="1">
<ind:object object_ref="oval:ssg:obj:414"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change idle_activation_enabled" id="oval:ssg:tst:271" version="1">
<ind:object object_ref="oval:ssg:obj:415"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:tst:273" version="1">
<unix:object object_ref="oval:ssg:obj:416"/>
</unix:file_test>
<unix:file_test check="all" check_existence="none_exist" comment="Check if there aren't directories in root's path having write permission set for group or other" id="oval:ssg:tst:275" version="1">
<unix:object object_ref="oval:ssg:obj:417"/>
</unix:file_test>
<ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg:tst:108" version="1">
<ind:object object_ref="oval:ssg:obj:119"/>
<ind:state state_ref="oval:ssg:ste:120"/>
</ind:family_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg:tst:109" version="1">
<linux:object object_ref="oval:ssg:obj:121"/>
<linux:state state_ref="oval:ssg:ste:122"/>
</linux:rpminfo_test>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg:tst:110" version="1">
<linux:object object_ref="oval:ssg:obj:123"/>
<linux:state state_ref="oval:ssg:ste:124"/>
</linux:rpminfo_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="oval:ssg:tst:277" version="1">
<ind:object object_ref="oval:ssg:obj:418"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg:tst:279" version="1">
<unix:object object_ref="oval:ssg:obj:419"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<unix:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg:tst:280" version="1">
<unix:object object_ref="oval:ssg:obj:421"/>
<unix:state state_ref="oval:ssg:ste:420"/>
</unix:file_test>
<ind:textfilecontent54_test check="all" check_existence="none_exist" comment="virtual consoles /etc/securetty" id="oval:ssg:tst:282" version="1">
<ind:object object_ref="oval:ssg:obj:422"/>
</ind:textfilecontent54_test>
<ind:variable_test id="oval:ssg:tst:284" check="all" comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs" version="1">
<ind:object object_ref="oval:ssg:obj:423"/>
<ind:state state_ref="oval:ssg:ste:424"/>
</ind:variable_test>
<ind:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg:tst:286" version="1">
<ind:object object_ref="oval:ssg:obj:425"/>
<ind:state state_ref="oval:ssg:ste:426"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is enabled" id="oval:ssg:tst:288" version="1">
<ind:object object_ref="oval:ssg:obj:427"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock cannot be changed by user" id="oval:ssg:tst:289" version="1">
<ind:object object_ref="oval:ssg:obj:428"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is set correctly" id="oval:ssg:tst:290" version="1">
<ind:object object_ref="oval:ssg:obj:429"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay cannot be changed by user" id="oval:ssg:tst:291" version="1">
<ind:object object_ref="oval:ssg:obj:430"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Banner for FTP Users" id="oval:ssg:tst:293" version="1">
<ind:object object_ref="oval:ssg:obj:431"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay is configured" id="oval:ssg:tst:295" version="1">
<ind:object object_ref="oval:ssg:obj:432"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change screensaver idle delay" id="oval:ssg:tst:296" version="1">
<ind:object object_ref="oval:ssg:obj:433"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay setting is correct" id="oval:ssg:tst:297" version="1">
<ind:object object_ref="oval:ssg:obj:434"/>
<ind:state state_ref="oval:ssg:ste:435"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode" id="oval:ssg:tst:299" version="1">
<ind:object object_ref="oval:ssg:obj:436"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that the systemd rescue.service is in the runlevel1.target" id="oval:ssg:tst:300" version="1">
<ind:object object_ref="oval:ssg:obj:437"/>
</ind:textfilecontent54_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:tst:302" version="1">
<unix:object object_ref="oval:ssg:obj:438"/>
</unix:file_test>
<unix:file_test check="all" check_existence="at_least_one_exists" comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:tst:301" version="1">
<unix:object object_ref="oval:ssg:obj:439"/>
</unix:file_test>
</tests>
<objects>
<ind:textfilecontent54_object comment="Ensure more than one NTP server is set" id="oval:ssg:obj:303" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:304" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:305" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:family_object id="oval:ssg:obj:111" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:113" version="1">
<linux:name>fedora-release</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:307" version="1">
<linux:name>openssh-server</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:308" version="1">
<linux:name>dconf</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:440" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MAX_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:309" version="1">
<ind:var_ref>oval:ssg:var:441</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary directories" id="oval:ssg:obj:311" version="1">
<!-- Check that /bin, /sbin, /usr/sbin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:312" version="1">
<!-- Check that files within /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, and
/usr/local/sbin directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:442</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:313" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:316" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:317" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-enable$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:318" version="1">
<!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:319" version="1">
<!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
<unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:443</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:320" version="2">
<ind:filepath>/etc/sysconfig/prelink</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:444" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last ENCRYPT_METHOD directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of ENCRYPT_METHOD directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:321" version="1">
<ind:var_ref>oval:ssg:var:445</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="home directories" id="oval:ssg:obj:323" version="2">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="exclude">oval:ssg:ste:446</filter>
<filter action="include">oval:ssg:ste:324</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:325" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:327" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:328" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:329" version="1">
<!-- Read whole /etc/pam.d/password-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
pam_unix.so module in auth section -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+deny=([0-9]+)[\s]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:330" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
<ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+deny=([0-9]+)[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:331" version="1">
<!-- Read whole /etc/pam.d/system-auth content as single line so we can verify existing order of PAM modules -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/pam.d/password-auth</ind:filepath>
<!-- Since order of PAM modules matters ensure pam_faillock.so in account section is listed right before pam_unix.so account row -->
<ind:pattern operation="pattern match">[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
<!-- Check only the first instance -->
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:332" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:333" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_enable[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:334" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*xferlog_std_format[\s]*=[\s]*NO$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="log ftp transactions" id="oval:ssg:obj:335" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*log_ftp_protocol[\s]*=[\s]*YES$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:336" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=\'\'$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:337" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/picture-uri$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:340" version="1">
<ind:filepath>/etc/sysctl.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:338" version="1">
<unix:name>kernel.exec-shield</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:341" version="1">
<ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
<ind:pattern operation="pattern match">[\s]*noexec[\s]*=[\s]*off</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:342" version="1">
<linux:name>ntp</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:343" version="1">
<linux:name>net-snmp</linux:name>
</linux:rpminfo_object>
<unix:uname_object comment="64 bit architecture" id="oval:ssg:obj:344" version="1"/>
<ind:textfilecontent54_object id="oval:ssg:obj:346" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:348" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:349" version="1">
<linux:name>McAfeeVSEForLinux</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:350" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:352" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:354" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:355" version="1">
<ind:path>/etc/yum.repos.d</ind:path>
<ind:filename operation="pattern match">.*</ind:filename>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*0\s*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:356" version="1">
<ind:path>/etc/dconf/db/gdm.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/login-screen/banner-message-text$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:357" version="1">
<ind:path>/etc/dconf/db/gdm.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^banner-message-text=[\s']*([^']*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for .netrc in /home" id="oval:ssg:obj:359" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
<unix:path operation="equals">/home</unix:path>
<unix:filename operation="pattern match">^\.netrc$</unix:filename>
</unix:file_object>
<unix:uname_object comment="32 bit architecture" id="oval:ssg:obj:360" version="1"/>
<ind:textfilecontent54_object comment="Ensure at least one NTP server is set" id="oval:ssg:obj:362" version="1">
<ind:filepath>/etc/ntp.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:363" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:365" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:366" version="1">
<linux:name>vsftpd</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:367" version="2">
<ind:filepath>/etc/exports</ind:filepath>
<ind:pattern operation="pattern match">^(.*?(\binsecure_locks\b)[^$]*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:368" version="1">
<ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:369" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ucredit[s\]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:371" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:372" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:373" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:374" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:375" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:376" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:377" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for sshd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:378" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/sshd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:379" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
<ind:pattern operation="pattern match">^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:381" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<linux:rpminfo_object id="oval:ssg:obj:115" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:117" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:382" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:448" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_WARN_AGE directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_WARN_AGE directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:384" version="1">
<ind:var_ref>oval:ssg:var:449</ind:var_ref>
</ind:variable_object>
<unix:file_object comment="binary files" id="oval:ssg:obj:386" version="1">
<!-- Check that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
and /usr/local/sbin directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:450</filter>
<filter action="exclude">oval:ssg:ste:451</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:387" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:389" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:391" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="library directories" id="oval:ssg:obj:392" version="1">
<!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<unix:file_object comment="library files" id="oval:ssg:obj:393" version="1">
<!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename operation="pattern match">^.*$</unix:filename>
<filter action="include">oval:ssg:ste:452</filter>
<filter action="exclude">oval:ssg:ste:453</filter>
</unix:file_object>
<ind:textfilecontent54_object id="oval:ssg:obj:394" version="2">
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="serial ports /etc/securetty" id="oval:ssg:obj:395" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^ttyS[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:396" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^difok[\s]*=[\s]*(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:398" comment="gpgcheck set in /etc/yum.conf" version="1">
<ind:filepath>/etc/yum.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:454" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_LEN directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_LEN directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:399" version="1">
<ind:var_ref>oval:ssg:var:455</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:401" version="1">
<ind:filepath>/etc/issue</ind:filepath>
<ind:pattern var_ref="oval:ssg:var:456" operation="pattern match"/>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:402" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:403" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/thumbnailers/disable-all$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:404" version="2">
<ind:filepath>/etc/dconf/profile/user</ind:filepath>
<ind:pattern operation="pattern match">^user-db:user\nsystem-db:local$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:407" version="1">
<ind:filepath>/etc/sysctl.d/ipv6.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:sysctl_object id="oval:ssg:obj:405" version="1">
<unix:name>net.ipv6.conf.all.disable_ipv6</unix:name>
</unix:sysctl_object>
<ind:textfilecontent54_object id="oval:ssg:obj:408" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:410" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:411" version="1">
<ind:filepath>/etc/grub2.cfg</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:password_object id="oval:ssg:obj:412" version="1">
<unix:username operation="pattern match">.*</unix:username>
</unix:password_object>
<ind:textfilecontent54_object id="oval:ssg:obj:414" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:415" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/idle-activation-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for ntpd.service in /etc/systemd/system/multi-user.target.wants" id="oval:ssg:obj:416" version="1">
<unix:filepath>/etc/systemd/system/multi-user.target.wants/ntpd.service</unix:filepath>
<filter action="include">oval:ssg:ste:447</filter>
</unix:file_object>
<ind:environmentvariable58_object id="oval:ssg:obj:457" version="1">
<ind:pid xsi:nil="true" datatype="int"/>
<ind:name>PATH</ind:name>
</ind:environmentvariable58_object>
<unix:file_object comment="root's path directories with wrong group / other write permissions" id="oval:ssg:obj:417" version="1">
<unix:path var_ref="oval:ssg:var:458" var_check="at least one"/>
<unix:filename xsi:nil="true"/>
<filter action="include">oval:ssg:ste:459</filter>
<filter action="exclude">oval:ssg:ste:460</filter>
</unix:file_object>
<ind:family_object id="oval:ssg:obj:119" version="1"/>
<linux:rpminfo_object id="oval:ssg:obj:121" version="1">
<linux:name>redhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_object id="oval:ssg:obj:123" version="1">
<linux:name>redhat-release-server</linux:name>
</linux:rpminfo_object>
<ind:textfilecontent54_object id="oval:ssg:obj:418" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
<ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="/boot/grub2/grub.cfg" id="oval:ssg:obj:419" version="1">
<unix:filepath>/boot/grub2/grub.cfg</unix:filepath>
</unix:file_object>
<unix:file_object comment="/boot/efi/EFI/redhat/grub.cfg" id="oval:ssg:obj:421" version="1">
<unix:filepath>/boot/efi/EFI/redhat/grub.cfg</unix:filepath>
</unix:file_object>
<ind:textfilecontent54_object comment="virtual consoles /etc/securetty" id="oval:ssg:obj:422" version="1">
<ind:filepath>/etc/securetty</ind:filepath>
<ind:pattern operation="pattern match">^vc/[0-9]+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:461" version="1">
<!-- Read whole /etc/login.defs as single line so we can retrieve last PASS_MIN_DAYS directive occurrence -->
<ind:behaviors singleline="true"/>
<ind:filepath>/etc/login.defs</ind:filepath>
<!-- Retrieve last (uncommented) occurrence of PASS_MIN_DAYS directive -->
<ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:variable_object id="oval:ssg:obj:423" version="1">
<ind:var_ref>oval:ssg:var:462</ind:var_ref>
</ind:variable_object>
<ind:textfilecontent54_object id="oval:ssg:obj:425" version="1">
<ind:filepath>/etc/security/pwquality.conf</ind:filepath>
<ind:pattern operation="pattern match">^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:427" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:428" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-enabled$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:429" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=0$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:430" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/screensaver/lock-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object comment="Banner for FTP Users" id="oval:ssg:obj:431" version="1">
<ind:filepath>/etc/vsftpd/vsftpd.conf</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*banner_file[\s]*=[\s]*/etc/issue*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:432" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=[0-9]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:433" version="1">
<ind:path>/etc/dconf/db/local.d/locks/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^/org/gnome/desktop/session/idle-delay$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:434" version="1">
<ind:path>/etc/dconf/db/local.d/</ind:path>
<ind:filename operation="pattern match">^.*$</ind:filename>
<ind:pattern operation="pattern match">^idle-delay[\s=]*([^=\s]*)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:436" version="1">
<ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart=\-.*/sbin/sulogin</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="oval:ssg:obj:437" version="1">
<ind:filepath>/usr/lib/systemd/system/runlevel1.target</ind:filepath>
<ind:pattern operation="pattern match">^Requires=.*rescue.service</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_object comment="look for rescue.service in /etc/systemd/system" id="oval:ssg:obj:438" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^rescue.service$</unix:filename>
</unix:file_object>
<unix:file_object comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg:obj:439" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^runlevel1.target$</unix:filename>
</unix:file_object>
</objects>
<states>
<ind:textfilecontent54_state id="oval:ssg:ste:306" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:463"/>
</ind:textfilecontent54_state>
<ind:family_state id="oval:ssg:ste:112" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:114" version="1">
<linux:version operation="pattern match">^19$</linux:version>
</linux:rpminfo_state>
<ind:variable_state id="oval:ssg:ste:310" version="1">
<ind:value operation="less than or equal" var_ref="oval:ssg:var:464" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:442" version="1" operator="OR">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" id="oval:ssg:ste:314" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg:var:465"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" id="oval:ssg:ste:315" version="1">
<ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:443" version="1">
<unix:user_id datatype="int" operation="not equal">0</unix:user_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:322" version="1">
<ind:value operation="equals" datatype="string">SHA512</ind:value>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:446" version="1">
<!-- Exclude /home directory itself from the check. Check /home/* directories only. -->
<unix:path operation="equals">/home</unix:path>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:324" version="1" operator="OR">
<unix:suid datatype="boolean">true</unix:suid>
<unix:sgid datatype="boolean">true</unix:sgid>
<unix:sticky datatype="boolean">true</unix:sticky>
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:oread datatype="boolean">true</unix:oread>
<unix:owrite datatype="boolean">true</unix:owrite>
<unix:oexec datatype="boolean">true</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:326" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:466"/>
</ind:textfilecontent54_state>
<unix:sysctl_state id="oval:ssg:ste:339" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<unix:uname_state comment="64 bit architecture" id="oval:ssg:ste:345" version="1">
<unix:processor_type operation="equals">x86_64</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:347" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:467"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:351" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:468"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:353" version="1">
<unix:uexec datatype="boolean">false</unix:uexec>
<unix:gread datatype="boolean">false</unix:gread>
<unix:gwrite datatype="boolean">false</unix:gwrite>
<unix:gexec datatype="boolean">false</unix:gexec>
<unix:oread datatype="boolean">false</unix:oread>
<unix:owrite datatype="boolean">false</unix:owrite>
<unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:358" version="1">
<ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg:var:456"/>
</ind:textfilecontent54_state>
<unix:uname_state comment="32 bit architecture" id="oval:ssg:ste:361" version="1">
<unix:processor_type operation="equals">i686</unix:processor_type>
</unix:uname_state>
<ind:textfilecontent54_state id="oval:ssg:ste:364" version="1">
<ind:subexpression datatype="int" operation="equals">0</ind:subexpression>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:370" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:469"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:447" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:380" version="1">
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:470"/>
</ind:textfilecontent54_state>
<linux:rpminfo_state id="oval:ssg:ste:116" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:118" version="1">
<linux:version operation="pattern match">^6.*$</linux:version>
</linux:rpminfo_state>
<ind:textfilecontent54_state id="oval:ssg:ste:383" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:471"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:385" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:472" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:file_state id="oval:ssg:ste:450" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:451" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:388" version="1">
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:473"/>
</ind:textfilecontent54_state>
<unix:file_state id="oval:ssg:ste:390" version="1">
<unix:user_id datatype="int">0</unix:user_id>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:452" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state id="oval:ssg:ste:453" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:textfilecontent54_state id="oval:ssg:ste:397" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg:var:474"/>
</ind:textfilecontent54_state>
<ind:variable_state id="oval:ssg:ste:400" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:475" datatype="int" var_check="at least one"/>
</ind:variable_state>
<unix:sysctl_state id="oval:ssg:ste:406" version="1">
<unix:value datatype="int" operation="equals">1</unix:value>
</unix:sysctl_state>
<ind:textfilecontent54_state id="oval:ssg:ste:409" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:476"/>
</ind:textfilecontent54_state>
<unix:password_state id="oval:ssg:ste:413" version="1">
<unix:password>x</unix:password>
</unix:password_state>
<unix:file_state comment="group or other has write privilege" id="oval:ssg:ste:459" version="1" operator="OR">
<unix:gwrite datatype="boolean">true</unix:gwrite>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
<unix:file_state comment="symbolic link" id="oval:ssg:ste:460" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
<ind:family_state id="oval:ssg:ste:120" version="1">
<ind:family>unix</ind:family>
</ind:family_state>
<linux:rpminfo_state id="oval:ssg:ste:122" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_state id="oval:ssg:ste:124" version="1">
<linux:version operation="pattern match">^7.*$</linux:version>
</linux:rpminfo_state>
<unix:file_state id="oval:ssg:ste:420" version="1">
<unix:group_id datatype="int">0</unix:group_id>
</unix:file_state>
<ind:variable_state id="oval:ssg:ste:424" version="1">
<ind:value operation="greater than or equal" var_ref="oval:ssg:var:477" datatype="int" var_check="at least one"/>
</ind:variable_state>
<ind:textfilecontent54_state id="oval:ssg:ste:426" version="1">
<ind:instance datatype="int">1</ind:instance>
<ind:subexpression datatype="int" operation="less than or equal" var_ref="oval:ssg:var:478"/>
</ind:textfilecontent54_state>
<ind:textfilecontent54_state id="oval:ssg:ste:435" version="1">
<ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:479"/>
</ind:textfilecontent54_state>
</states>
<variables>
<external_variable comment="External variable for pam_cracklib minclass" datatype="int" id="oval:ssg:var:463" version="1"/>
<local_variable id="oval:ssg:var:441" datatype="int" comment="The value of last PASS_MAX_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MAX_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:440"/>
</regex_capture>
</local_variable>
<external_variable comment="Maximum password age" datatype="int" id="oval:ssg:var:464" version="1"/>
<external_variable comment="timeout value" datatype="int" id="oval:ssg:var:465" version="1"/>
<local_variable id="oval:ssg:var:445" datatype="string" comment="The value of last ENCRYPT_METHOD directive in /etc/login.defs" version="1">
<regex_capture pattern="ENCRYPT_METHOD\s+(\w+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:444"/>
</regex_capture>
</local_variable>
<external_variable id="oval:ssg:var:466" datatype="int" comment="number of failed login attempts allowed" version="1"/>
<external_variable comment="External variable for pam_cracklib retry" datatype="int" id="oval:ssg:var:467" version="1"/>
<external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="oval:ssg:var:468" version="1"/>
<external_variable comment="external variable for GDM login banner text" datatype="string" id="oval:ssg:var:456" version="1"/>
<external_variable comment="External variable for pam_cracklib ucredit" datatype="int" id="oval:ssg:var:469" version="1"/>
<external_variable comment="number of passwords that should be remembered" datatype="int" id="oval:ssg:var:470" version="1"/>
<external_variable comment="External variable for pam_cracklib ocredit" datatype="int" id="oval:ssg:var:471" version="1"/>
<local_variable id="oval:ssg:var:449" datatype="int" comment="The value of last PASS_WARN_AGE directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_WARN_AGE\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:448"/>
</regex_capture>
</local_variable>
<external_variable comment="password expiration warning age in days" datatype="int" id="oval:ssg:var:472" version="1"/>
<external_variable comment="External variable for pam_cracklib maxrepeat" datatype="int" id="oval:ssg:var:473" version="1"/>
<external_variable comment="External variable for pam_cracklib difok" datatype="int" id="oval:ssg:var:474" version="1"/>
<local_variable id="oval:ssg:var:455" datatype="int" comment="The value of last PASS_MIN_LEN directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_LEN\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:454"/>
</regex_capture>
</local_variable>
<external_variable comment="Password minimum length" datatype="int" id="oval:ssg:var:475" version="1"/>
<external_variable comment="External variable for pam_cracklib lcredit" datatype="int" id="oval:ssg:var:476" version="1"/>
<local_variable comment="Split the PATH on the : delimiter" datatype="string" id="oval:ssg:var:458" version="1">
<split delimiter=":">
<object_component item_field="value" object_ref="oval:ssg:obj:457"/>
</split>
</local_variable>
<local_variable id="oval:ssg:var:462" datatype="int" comment="The value of last PASS_MIN_DAYS directive in /etc/login.defs" version="1">
<regex_capture pattern="PASS_MIN_DAYS\s+(\d+)">
<object_component item_field="subexpression" object_ref="oval:ssg:obj:461"/>
</regex_capture>
</local_variable>
<external_variable comment="Minimum password age in days" datatype="int" id="oval:ssg:var:477" version="1"/>
<external_variable comment="External variable for pam_cracklib dcredit" datatype="int" id="oval:ssg:var:478" version="1"/>
<external_variable comment="inactivity timeout variable" datatype="string" id="oval:ssg:var:479" version="1"/>
</variables>
</oval_definitions></ds:component></ds:data-stream-collection>
xccdf_org.ssgproject.content_profile_commonfalse
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/testing_data/ssg-fedora-ds.xml������������������������������������������0000644�0001751�0000033�00004437030�13163222324�022254� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
python2.7.105.112016-01-20T07:40:45Record Attempts to Alter Time Through SettimeofdayFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Record attempts to alter time through settimeofday.Ensure Yum gpgcheck Globally ActivatedThe gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.Set Password Expiration ParametersThe maximum password age policy should meet minimum requirements.Enable GNOME3 Screensaver Idle ActivationFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Idle activation of the screen saver should be enabled.Enable GNOME3 Screensaver Lock After Idle PeriodFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Idle activation of the screen lock should be enabled.Package prelink RemovedThe RPM package prelink should be removed.Set Password Expiration ParametersThe password expiration warning age should be set appropriately.Disable PrelinkingRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24The prelinking feature can interfere with the operation of
checksum integrity tools (e.g. AIDE), mitigates the protection provided
by ASLR, and requires additional CPU cycles by software upgrades.
Package cronie InstalledFedora 22Fedora 23Fedora 24The RPM package cronie should be installed.Audit Discretionary Access Control Modification Events - lremovexattrFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Service firewalld EnabledFedora 22Fedora 23Fedora 24The firewalld service should be enabled if possible.SNMP use newer protocolsSNMP version 1 and 2c must not be enabled.Configure the GNOME3 GUI Screen lockingFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The allowed period of inactivity before the screensaver is activated.Test for x86 ArchitectureFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Generic test for x86 architecture to be used by other testsAudit Kernel Module Loading and UnloadingFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The audit rules should be configured to log information about kernel module loading and unloading.Set ClientAliveCountMax for User LoginsThe SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)Enable GUI Warning BannerFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Enable the GUI warning banner.Auditd Maximum Log File Sizemax_log_file setting in /etc/audit/auditd.conf is set to at least a certain valueRequire Authentication for Single-User ModeFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The requirement for a password to boot into single-user mode
should be configured correctly.Test for x86_64 ArchitectureFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Generic test for x86_64 architecture to be used by other testsConfirm Existence and Permissions of System Log FilesFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Debian 8All syslog log files should be owned by the appropriate user.Audit Discretionary Access Control Modification Events - fchownFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Confirm Existence and Permissions of System Log FilesFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6File permissions for all syslog log files should be set correctly.Specify a Remote NTP Server for Time DataFedora 22Fedora 23Fedora 24A remote NTP Server for time synchronization should be
specified (and dependencies are met)Audit User/Group ModificationFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit user/group modification.Record Attempts to Alter Time Through the Localtime FileFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Record attempts to alter time through /etc/localtime.Direct root Logins Not AllowedPreventing direct root logins help ensure accountability for actions
taken on the system using the root account.Audit Discretionary Access Control Modification Events - fchmodatFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Set Password lcredit RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password lcredit should meet minimum requirementsSet Password ucredit RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password ucredit should meet minimum requirementsVerify /var/log/audit OwnershipChecks that all /var/log/audit files and directories are owned by the root user and group.Restrict Serial Port Root LoginsPreventing direct root login to serial port interfaces helps
ensure accountability for actions taken on the system using the root
account.System Login Banner ComplianceFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The system login banner text should be set correctly.Specify a Remote NTP Server for Time DataFedora 22Fedora 23Fedora 24Multiple NTP Servers for time synchronization should be
specifiedSystem Accounts Do Not Run a ShellThe root account is the only system account that should have a login shell.All Password Hashes ShadowedAll password hashes should be shadowed.Verify that System Executables Have Root OwnershipFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6CentOS 4CentOS 5Red Hat Enterprise Linux 4Red Hat Enterprise Linux 5
Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
/usr/local/sbin, /usr/libexec, and objects therein, are owned by root.
Disable Core DumpsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Core dumps for all users should be disabledSNMP default communities disabledSNMP default communities must be removed.Record Attempts to Alter Time Through AdjtimexFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Record attempts to alter time through adjtimex.Enable Auditing for Processes Which Start Prior to the Audit DaemonFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Look for argument audit=1 in the kernel line in /etc/default/grub.Lock out account after failed login attemptsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The number of allowed failed logins should be set correctly.Verify that Shared Library Files Have Root OwnershipFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are owned by root.
Verify No netrc Files ExistThe .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.File grub.cfg Owned By root UserFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfgRestrict Virtual Console Root LoginsPreventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system using the
root account.Banner for FTP UsersRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24To trace malicious activity facilitated by the FTP
service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log format.
Confirm Existence and Permissions of System Log FilesFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6All syslog log files should be owned by the appropriate group.The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activatedactive setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes'Scientific Linux 7The operating system installed on the system is
Scientific Linux 7Aide Database Must ExistFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6CentOS 4CentOS 5Red Hat Enterprise Linux 4Red Hat Enterprise Linux 5The aide database must be initialized.Set Password minlen RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password minlen should meet minimum requirementsFile grub.cfg PermissionsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfgAll GIDs Are Present In /etc/groupFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6CentOS 4CentOS 5Red Hat Enterprise Linux 4Red Hat Enterprise Linux 5All GIDs referenced in /etc/passwd must be defined in /etc/group.Auditd Maximum Number of Logs to Retainnum_logs setting in /etc/audit/auditd.conf is set to at least a certain valueAudit Discretionary Access Control Modification Events - fchownatFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Verify that System Executables Have Restrictive PermissionsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6CentOS 4CentOS 5Red Hat Enterprise Linux 4Red Hat Enterprise Linux 5
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable.
Ensure insecure_locks is disabledAllowing insecure file locking could allow for sensitive
data to be viewed or edited by an unauthorized user.Disable Ctrl-Alt-Del Reboot ActivationFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7By default, the system will reboot when the
Ctrl-Alt-Del key sequence is pressed.Audit Discretionary Access Control Modification Events - fsetxattrFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Auditd Action to Take When Disk is Low on Spaceadmin_space_left_action setting in /etc/audit/auditd.conf is set to a certain actionAudit System Administrator ActionsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit actions taken by system administrators on the system.Disable usb-storage Kernel ModuleFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The kernel module usb-storage should be disabled.Proper Permissions User Home DirectoriesFile permissions should be set correctly for the home directories for all user accounts.Add nosuid Option to /dev/shmFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The nosuid mount option should be set for temporary storage
partitions such as /dev/shm. The suid/sgid permissions should not be
required in these world-writable directories.Kernel Runtime Parameter "kernel.exec-shield" CheckFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.Set Last Login/Access NotificationFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Configure the system to notify users of last login/access using pam_lastlog.Add nodev Option to /dev/shmFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Legitimate character and block devices should not exist
within temporary directories like /dev/shm. The nodev mount option should
be specified for /dev/shm.Set OpenSSH Idle Timeout IntervalThe SSH idle timeout interval should be set to an
appropriate value.Set Password ocredit RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password ocredit should meet minimum requirementsNo nullok Option in /etc/pam.d/system-authThe file /etc/pam.d/system-auth should not contain the nullok optionDisable GNOME3 AutomountingFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.Set SHA512 Password Hashing Algorithm in /etc/login.defsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The password hashing algorithm should be set correctly in /etc/login.defs.Implement Blank ScreensaverFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The GNOME3 screensaver should be blank.Audit Discretionary Access Control Modification Events - chmodFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Audit Discretionary Access Control Modification Events - lchownFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Disable dccp Kernel ModuleFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The kernel module dccp should be disabled.CentOS 7The operating system installed on the system is
CentOS 7Banner for FTP UsersRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24This setting will cause the system greeting banner to be
used for FTP connections as well.Audit File Deletion EventsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit files deletion events.Package dconf InstalledFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The RPM package dconf should be installed.Bind Mount /var/tmp To /tmpFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The /var/tmp directory should be bind mounted to /tmp in
order to consolidate temporary storage into one location protected by the
same techniques as /tmp.Verify File Hashes with RPMRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24Verify the RPM digests of system binaries using the RPM database.Audit Discretionary Access Control Modification Events - fchmodFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)Fedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.Set Password Expiration ParametersThe password minimum length should be set appropriately.Verify File Ownership And Permissions Using RPMFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Verify the integrity of installed packages
by comparing the installed files with information about the
files taken from the package metadata stored in the RPM
database.Service crond EnabledFedora 22Fedora 23Fedora 24The crond service should be enabled if possible.Disable All GNOME3 ThumbnailersFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The system's default desktop environment, GNOME3, uses a
number of different thumbnailer programs to generate thumbnails for any
new or modified content in an opened folder. Disable the execution of
these thumbnail applications within GNOME3.Set Password minclass RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password minclass should meet the minimum requirementsPackage vsftpd InstalledFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The RPM package vsftpd should be installed.Limit Password ReuseFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The passwords to remember should be set correctly.Set All Accounts To Have Unique NamesAll accounts on the system should have unique names for proper accountability.Set Password Expiration ParametersThe minimum password age policy should be set appropriately.Add nodev Option to /tmpFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6Legitimate character and block devices should not exist
within temporary directories like /tmp. The nodev mount option should be
specified for /tmp.Service auditd EnabledFedora 22Fedora 23Fedora 24The auditd service should be enabled if possible.Auditd Action to Take When Disk Starting to Run Low on Spacespace_left_action setting in /etc/audit/auditd.conf is set to a certain actionPackage audit InstalledFedora 22Fedora 23Fedora 24The RPM package audit should be installed.Record Attempts to Alter Login and Logout EventsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit rules should be configured to log successful and unsuccessful login and logout events.Audit Information Export To MediaFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit rules that detect the mounting of filesystems should be enabled.Lock out account after failed login attemptsThe number of allowed failed logins should be set correctly.Audit Discretionary Access Control Modification Events - setxattrFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Audit Discretionary Access Control Modification Events - lsetxattrFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.File grub.cfg Owned By root Group Fedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfgPackage net-snmp RemovedThe RPM package net-snmp should be removed.Service chronyd EnabledFedora 22Fedora 23Fedora 24The chronyd service should be enabled if possible.Ensure auditd Collects Information on the Use of Privileged CommandsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit rules about the information on the use of privileged commands are enabled.Disable root Login via SSHRoot login via SSH should be disabled (and dependencies are
met)Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The operating system installed on the system is
Red Hat Enterprise Linux 6Set Boot Loader PasswordFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The grub2 boot loader should have password protection enabled.CentOS 6The operating system installed on the system is
CentOS 6Disable the GNOME3 Login User ListFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Disable the GNOME3 GUI listing of all known users on the login screen.Add nosuid Option to /tmpFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The nosuid mount option should be set for temporary storage
partitions such as /tmp. The suid/sgid permissions should not be required
in these world-writable directories.Enable GNOME3 Login Warning BannerFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Enable the GNOME3 Login warning banner.Audit Discretionary Access Control Modification Events - removexattrFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Implement Local DB for DConf User ProfileFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The DConf User profile should have the local DB configured.Set Password difok RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password difok should meet minimum requirementsService sshd DisabledFedora 22Fedora 23Fedora 24The sshd service should be disabled.Package openssh-server RemovedFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6The RPM package openssh-server should be removed.UID 0 Belongs Only To RootOnly the root account should be assigned a user id of 0.Verify that Shared Library Files Have Restrictive PermissionsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are not group-writable or world-writable.
Package firewalld InstalledFedora 22Fedora 23Fedora 24The RPM package firewalld should be installed.Package chrony InstalledFedora 22Fedora 23Fedora 24The RPM package chrony should be installed.Record Attempts to Alter Time Through Clock_settimeFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Record attempts to alter time through clock_settime.Check pam_pwquality Existence in system-authFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Check that pam_pwquality.so exists in system-authSet Password dcredit RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password dcredit should meet minimum requirementsRed Hat Enterprise Linux 7The operating system installed on the system is
Red Hat Enterprise Linux 7Audit Discretionary Access Control Modification Events - chownFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Record Attempts to Alter Process and Session Initiation InformationFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit rules should capture information about session initiation.Disable Empty PasswordsRemote connections from accounts with empty passwords should
be disabled (and dependencies are met)Auditd Action to Take When Maximum Log Size Reachedmax_log_file_action setting in /etc/audit/auditd.conf is set to a certain actionSet Password retry RequirementsRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24The password retry should meet minimum requirementsRecord Attempts to Alter Time Through StimeFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Record attempts to alter time through stime. Note that on
64-bit architectures the stime system call is not defined in the audit
system calls lookup table.Package Antivirus InstalledAntivirus software should be installed.Set Password maxrepeat RequirementsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The password maxrepeat should meet minimum
requirements using pam_pwqualityRecord Events that Modify the System's Network EnvironmentFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The network environment should not be modified by anything other than
administrator action. Any change to network parameters should be audited.Scientific Linux 6The operating system installed on the system is
Scientific Linux 6Kernel Runtime Parameter IPv6 CheckFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Disables IPv6 for all network interfaces.Change the default firewalld zone to dropFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Change the default firewalld zone to drop.Ensure gpgcheck Enabled For All Yum Package RepositoriesRed Hat Enterprise Linux 7Red Hat Enterprise Linux 6Fedora 22Fedora 23Fedora 24Ensure all yum repositories utilize signature checking.Auditd Email Account to Notify Upon Actionaction_mail_acct setting in /etc/audit/auditd.conf is set to a certain accountRecord Events that Modify the System's Mandatory Access ControlsFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.Write permissions are disabled for group and other in all
directories in Root's PathCheck each directory in root's path and make use it does
not grant write permission to group and otherMake Audit Configuration ImmutableFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Force a reboot to change audit rules is enabledAdd noexec Option to /dev/shmFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7Red Hat Enterprise Linux 6It can be dangerous to allow the execution of binaries from
world-writable temporary storage directories such as /dev/shm. The noexec
mount option prevents binaries from being executed out of
/dev/shm.Audit Discretionary Access Control Modification Events - fremovexattrFedora 22Fedora 23Fedora 24Red Hat Enterprise Linux 7The changing of file permissions and attributes should be audited.Installed operating system is FedoraThe operating system installed on the system is Fedora/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$1/etc/yum.conf^\s*gpgcheck\s*=\s*1\s*$1/etc/login.defs.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n1oval:ssg-variable_last_pass_max_days_instance_value:var:1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/idle-activation-enabled$1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/lock-enabled$1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s]0$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/lock-delay$1prelink/etc/login.defs.*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n1oval:ssg-variable_last_pass_warn_age_instance_value:var:1/etc/sysconfig/prelink^[\s]*PRELINKING=no[\s]*1cronie/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1multi-user.target/etc/snmp/snmpd.conf^[\s]*(com2se|rocommunity|rwcommunity)1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/session/idle-delay$1/etc/dconf/db/local.d/^.*$^idle-delay[\s=]*uint32[\s]([^=\s]*)1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+init_module\s+\-S\s+delete_module\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/audit.rules^\-w\s+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/audit.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+init_module\s+\-S\s+delete_module\s+\-k\s+[-\w]+\s*$1/etc/ssh/sshd_config^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$1/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/banner-message-text$1/etc/dconf/db/gdm.d/^.*$^banner-message-text=[\s']*([^']*)1/etc/audit/auditd.conf^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$1/usr/lib/systemd/system/rescue.service^ExecStart=\-.*/sbin/sulogin1/usr/lib/systemd/system/runlevel1.target^Requires=.*rescue.service1/etc/systemd/system^rescue.service$/etc/systemd/system^runlevel1.target$/etc/rsyslog.conf^\$IncludeConfig[\s]+([^\s;]+)1^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/rsyslog.conf^\$IncludeConfig[\s]+([^\s;]+)1^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$1/etc/chrony.conf^[\s]*server[\s]+.+$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]\-k[\s]+\w+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]\-k[\s]+\w+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*-k[\s]+[\S]+[\s]*$1/etc/securetty^.*$1/etc/securetty^$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchmodat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchmodat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchmodat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchmodat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/security/pwquality.conf^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)1/etc/security/pwquality.conf^ucredit[s\]*=[\s]*(-?\d+)(?:[\s]|$)1/etc/audit/auditd.conf^[ ]*log_group[ ]+=[ ]+root[ ]*$1/var/log/auditoval:ssg-state_owner_not_root_root_var_log_audit:ste:1/var/log/audit^.*$oval:ssg-state_owner_not_root_root_var_log_audit:ste:1/var/log/auditoval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1/var/log/audit^.*$oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1/etc/securetty^ttyS[0-9]+$1/etc/issue1/etc/chrony.conf^([\s]*server[\s]+.+$){2,}$1/etc/passwd^(?!root).*:x:0*([0-9]{1,2}|[1-4][0-9]{2}):[\d]*:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$1.*^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexecoval:ssg-state_owner_binaries_not_root:ste:1^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec^.*$oval:ssg-state_owner_binaries_not_root:ste:1/etc/security/limits.conf^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)1/etc/snmp/snmpd.conf^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$1/etc/default/grub^\s*GRUB_CMDLINE_LINUX="(.*)"$1/etc/pam.d/system-auth^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([0-9]*).*$1/etc/pam.d/system-auth^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([0-9]*).*$1/etc/pam.d/password-auth^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([0-9]*).*$1/etc/pam.d/password-auth^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([0-9]*).*$1^\/lib(|64)\/|^\/usr\/lib(|64)\/oval:ssg-state_owner_libraries_not_root:ste:1^\/lib(|64)\/|^\/usr\/lib(|64)\/^.*$oval:ssg-state_owner_libraries_not_root:ste:1/home^\.netrc$/boot/grub2/grub.cfg/boot/efi/EFI/redhat/grub.cfg/etc/securetty^vc/[0-9]+$1/etc/vsftpd/vsftpd.conf^[\s]*xferlog_enable[\s]*=[\s]*YES$1/etc/vsftpd/vsftpd.conf^[\s]*xferlog_std_format[\s]*=[\s]*NO$1/etc/vsftpd/vsftpd.conf^[\s]*log_ftp_protocol[\s]*=[\s]*YES$1/etc/rsyslog.conf^\$IncludeConfig[\s]+([^\s;]+)1^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$1/etc/audisp/plugins.d/syslog.conf^[ ]*active[ ]+=[ ]+yes[ ]*$1sl-release/etc/aide.conf^@@define[\s]DBDIR[\s]+(/.*)$1/etc/aide.conf^database_out=file:@@{DBDIR}/([a-z.]+)$1/etc/security/pwquality.conf^minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)1/boot/grub2/grub.cfg/boot/efi/EFI/redhat/grub.cfg/etc/group^.*:x:([0-9]+):1/etc/passwd^.*:[0-9]+:([0-9]+):1/etc/audit/auditd.conf^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchownat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchownat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchownat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchownat[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec^.*$oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1oval:ssg-state_perms_binary_files_symlink:ste:1/etc/exports^(.*?(\binsecure_locks\b)[^$]*)$1/etc/systemd/system/ctrl-alt-del.target/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/auditd.conf^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/modprobe.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1/etc/modprobe.conf^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1/etc/modules-load.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1/run/modules-load.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1/usr/lib/modules-load.d^.*\.conf$^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$1/homeoval:ssg-state_home_dirs_home_itself:ste:1oval:ssg-state_home_dirs_wrong_perm:ste:1/dev/shm/etc/sysctl.conf^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$1kernel.exec-shield/boot/grub2/grub.cfg[\s]*noexec[\s]*=[\s]*off1/etc/pam.d/postlogin[\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n]1/dev/shm/etc/ssh/sshd_config^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$1/etc/security/pwquality.conf^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)1/etc/pam.d/system-auth\s*nullok\s*1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/media-handling/automount$1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/media-handling/automount-open$1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/media-handling/autorun-never$1/etc/login.defs.*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n1oval:ssg-variable_last_encrypt_method_instance_value:var:1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=string[\s]\'\'$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/screensaver/picture-uri$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lchown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/modprobe.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1/etc/modprobe.conf^\s*install\s+dccp\s+(/bin/false|/bin/true)$1/etc/modules-load.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1/run/modules-load.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1/usr/lib/modules-load.d^.*\.conf$^\s*install\s+dccp\s+(/bin/false|/bin/true)$1centos-release/etc/vsftpd/vsftpd.conf^[\s]*banner_file[\s]*=[\s]*/etc/issue*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+rmdir\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+rmdir\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1dconf/var/tmp/etc/mtab^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$
1.*.*.*.*.*^.*bin/.*$oval:ssg-state_files_fail_md5_hash:ste:1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchmod[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+\-F\s+arch=b32\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EACCES\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+\-F\s+arch=b32\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EPERM\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+\-F\s+arch=b64\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EACCES\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+\-F\s+arch=b64\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EPERM\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-a\s+always,exit\s+\-F\s+arch=b32\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EACCES\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-a\s+always,exit\s+\-F\s+arch=b32\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EPERM\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-a\s+always,exit\s+\-F\s+arch=b64\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EACCES\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-a\s+always,exit\s+\-F\s+arch=b64\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EPERM\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/login.defs.*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n1oval:ssg-variable_last_pass_min_len_instance_value:var:1.*.*.*.*.*.*oval:ssg-state_files_fail_user_ownership:ste:1.*.*.*.*.*.*oval:ssg-state_files_fail_group_ownership:ste:1.*.*.*.*.*.*oval:ssg-state_files_fail_mode:ste:1/etc/dconf/db/local.d/^.*$^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$1/etc/dconf/db/local.d/locks/^.*$^/org/gnome/desktop/thumbnailers/disable-all$1/etc/security/pwquality.conf^minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$)1vsftpd/etc/pam.d/system-auth^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$1/etc/pam.d/system-auth^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$1/etc/passwd^([^:]+):.*$1oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1/etc/login.defs.*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n1oval:ssg-variable_last_pass_min_days_instance_value:var:1/tmp/etc/audit/auditd.conf^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$1audit/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/var/log/tallylog\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/var/run/faillock/\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/var/log/lastlog\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-w\s+/var/log/tallylog\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-w\s+/var/run/faillock/\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-w\s+/var/log/lastlog\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+mount\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+mount\s+\-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$1/etc/pam.d/system-auth[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]1/etc/pam.d/system-auth[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]1/etc/pam.d/system-auth[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]1/etc/pam.d/password-auth[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]1/etc/pam.d/password-auth[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]1/etc/pam.d/password-auth[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+setxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+setxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+setxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+setxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lsetxattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/boot/grub2/grub.cfg/boot/efi/EFI/redhat/grub.cfgnet-snmp/[a-z]+oval:ssg-state_setuid_or_setgid_set:ste:1oval:ssg-state_dev_proc_sys_dirs:ste:1oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*(-a always,exit -F path=[^\n]+ -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged)[\s]*$1oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*(-a always,exit -F path=[^\n]+ -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged)[\s]*$1oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1/etc/ssh/sshd_config^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$1redhat-release-workstationredhat-release-server/etc/grub2.cfg^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$1/etc/grub2.cfg^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$1centos-release/etc/dconf/db/gdm.d/^.*$^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$1/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/disable-user-list$1/tmp/etc/dconf/db/gdm.d/^.*$^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$1/etc/dconf/db/gdm.d/locks/^.*$^/org/gnome/login-screen/banner-message-enable$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+removexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+removexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+removexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+removexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/dconf/profile/user^user-db:user\nsystem-db:local$1/etc/security/pwquality.conf^difok[\s]*=[\s]*(\d+)(?:[\s]|$)1/etc/systemd/system/multi-user.target.wants/sshd.serviceoval:ssg-state_symlink:ste:1openssh-server/etc/passwd^(?!root:)[^:]*:[^:]*:01^\/lib(|64)|^\/usr\/lib(|64)oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1oval:ssg-perms_state_symlink:ste:1^\/lib(|64)|^\/usr\/lib(|64)^.*$oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1oval:ssg-perms_state_symlink:ste:1firewalldchrony/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)time-change[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)time-change[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)time-change[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)time-change[\s]*$1/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$1/etc/security/pwquality.conf^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)1redhat-release-workstationredhat-release-server/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chown[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/var/run/utmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/var/log/btmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-w\s+/var/run/utmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-w\s+/var/log/btmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$1/etc/ssh/sshd_config^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$1/etc/audit/auditd.conf^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$1/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$1/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+stime[\s]+.*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+stime[\s]+.*-k[\s]+[\S]+[\s]*$1McAfeeVSEForLinux/etc/security/pwquality.conf^maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$)1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+[-\w]+\s*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+[-\w]+\s*$1/etc/audit/audit.rules^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/etc/audit/audit.rules^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1sl-release/etc/sysctl.d/ipv6.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$1net.ipv6.conf.all.disable_ipv6/etc/firewalld/firewalld.conf^DefaultZone=drop$1/etc/yum.repos.d.*^\s*gpgcheck\s*=\s*0\s*$1/etc/audit/auditd.conf^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$1PATHoval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1oval:ssg-state_accounts_root_path_dirs_symlink:ste:1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^\-e\s+2\s*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^\-e\s+2\s*$1/dev/shm/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/augenrules.*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/rules\.d/.*\.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1/etc/audit/audit.rules^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fremovexattr[\s]+)(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$1fedora-release/etc/system-release-cpe^cpe:\/o:fedoraproject:fedora:[\d]+$1firewalld.servicei6860x86_64regular0regularfalsefalsefalsefalsefalsefalsefalse110000x00^.*audit=1.*$00regular0unix^7.*$1falsefalsefalsefalsefalsefalsefalsetruetruesymbolic link/etc/systemd/system/ctrl-alt-del.target/dev/null/hometruetruetruetruetruetruetruenosuid1nodev01SHA512^7.*$failfailfailfailcrond.service1nodevauditd.service0chronyd.servicetruetrue^\/(dev|proc|sys)\/.*$^6.*$^6.*$^6.*$nosuid1symbolic linktruetruesymbolic link1unix^7.*$^7.*$^6.*$1truetruesymbolic linknoexec%/etc/rsyslog.conf%/etc/rsyslog.conf%/etc/rsyslog.conf/-a always,exit -F path= -F perm=x -F auid>=1000 -F auid!=4294967295 -k privilegeddraftGuide to the Secure Configuration of FedoraThis guide presents a catalog of security-relevant configuration
settings for Fedora operating system formatted in the eXtensible Configuration
Checklist Description Format (XCCDF).
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a catalog, not a
checklist, and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF Profiles, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP).
Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.Red Hat and Fedora are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.0.1.28Common Profile for General-Purpose Fedora SystemsThis profile contains items common to general-purpose Fedora installations.A conditional clause for check statements.A conditional clause for check statements.This is a placeholder.Introduction
The purpose of this guidance is to provide security configuration
recommendations and baselines for the Fedora operating system.
Recommended settings for the basic operating system are provided,
as well as for many network services that the system can provide
to other systems.
The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well
as some familiarity with Fedora's documentation and administration
conventions. Some instructions within this guide are complex.
All directions should be followed completely and with understanding of
their effects in order to avoid serious adverse effects on the system
and its security.
General Principles
The following general principles motivate much of the advice in this
guide and should also influence any configuration decisions that are
not explicitly covered.
Encrypt Transmitted Data Whenever Possible
Data transmitted over a network, whether wired or wireless, is susceptible
to passive monitoring. Whenever practical solutions for encrypting
such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly
important. Networks of Fedora machines can and should be configured
so that no unencrypted authentication data is ever transmitted between
machines.
Minimize Software to Minimize Vulnerability
The simplest way to avoid vulnerabilities in software is to avoid
installing that software. On Fedora, the RPM Package Manager (originally
Red Hat Package Manager, abbreviated RPM) allows for careful management of
the set of software packages installed on a system. Installed software
contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give
this opportunity to network-based attackers. Packages that include
programs which are predictably executed by local users (e.g. after
graphical login) may provide opportunities for trojan horses or other
attack code to be run undetected. The number of software packages
installed on a system can almost always be significantly pruned to include
only the software for which there is an environmental or operational need.
Run Different Network Services on Separate Systems
Whenever possible, a server should be dedicated to serving exactly one
network service. This limits the number of other services that can
be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.
Configure Security Tools to Improve System Robustness
Several tools exist which can be effectively used to improve a system's
resistance to and detection of unknown attacks. These tools can improve
robustness against attack at the cost of relatively little configuration
effort. In particular, this guide recommends and discusses the use of
Iptables for host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for
detection of problems.
Least Privilege
Grant the least privilege necessary for user accounts and software to perform tasks.
For example, sudo can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.
How to Use This Guide
Readers should heed the following points when using the guide.
Read Sections Completely and in Order
Each section may build on information and recommendations discussed in
prior sections. Each section should be read and understood completely;
instructions should never be blindly applied. Relevant discussion may
occur after instructions for an action.
Test in Non-Production Environment
This guidance should always be tested in a non-production environment
before deployment. This test environment should simulate the setup in
which the system will be deployed as closely as possible.
Root Shell Environment Assumed
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
/bin/bash shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via sudo whenever possible, or use
su to gain root privileges if sudo cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
Formatting Conventions
Commands intended for shell execution, as well as configuration file text,
are featured in a monospace font. Italics are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
Reboot Required
A system reboot is implicitly required after some actions in order to
complete the reconfiguration of the system. In many cases, the changes
will not take effect until a reboot is performed. In order to ensure
that changes are applied properly and to test functionality, always
reboot the system after applying a set of recommendations from this guide.
System SettingsInstalling and Maintaining SoftwareThe following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.Updating SoftwareThe yum command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the System menu, in the Administration submenu,
called Software Update.
Fedora systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Tools such as
yum or the graphical Software Update ensure usage of RPM
packages for software installation. This allows for insight into the current
inventory of installed software on the system, and is highly recommended.
gpgcheck Enabled In Main Yum ConfigurationThe gpgcheck option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1SI-7MA-1(b)352663
Ensuring the validity of packages' cryptographic signatures prior to
installation ensures the provenance of the software and
protects against malicious tampering.
To determine whether yum is configured to use gpgcheck,
inspect /etc/yum.conf and ensure the following appears in the
[main] section:
gpgcheck=1
A value of 1 indicates that gpgcheck is enabled. Absence of a
gpgcheck line or a setting of 0 indicates that it is
disabled.
gpgcheck Enabled For All Yum Package RepositoriesTo ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0SI-7MA-1(b)352663
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and
protects against malicious tampering.
To determine whether yum has been configured to disable
gpgcheck for any repos, inspect all files in
/etc/yum.repos.d and ensure the following does not appear in any
sections:
gpgcheck=0
A value of 0 indicates that gpgcheck has been disabled for that repo.
Software Integrity Checking
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
Integrity checking cannot prevent intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
Verify Integrity with AIDEAIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update. AIDE is highly configurable, with further configuration
information located in /usr/share/doc/aide-VERSION.
Install AIDE
Install the AIDE package with the command:
$ sudo yum install aideCM-3(d)CM-3(e)CM-6(d)CM-6(3)SC-28SI-71069Test attestation on 20121024 by DS
The AIDE package must be installed if it is to be available for integrity checking.
Run the following command to determine if the aide package is installed:
$ sudo rpm -q aideDisable Prelinking
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
/etc/sysconfig/prelink:
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state:
$ sudo /usr/sbin/prelink -uaCM-6(d)CM-6(3)SC-28SI-7
The prelinking feature can interfere with the operation
of AIDE, because it changes binaries.
#
# Disable prelinking altogether
#
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi
#
# Undo previous prelink changes to binaries
#
/usr/sbin/prelink -ua
Build and Test AIDE DatabaseRun the following command to generate a new database:
# /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
# /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
CM-3(d)CM-3(e)CM-6(d)CM-6(3)SC-28SI-7
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
Configure Periodic Execution of AIDE
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example.
CM-3(d)CM-3(e)CM-6(d)CM-6(3)SC-28SI-73744161069126312971589
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
To determine that periodic AIDE execution has been scheduled, run the following command:
# grep aide /etc/crontabVerify Integrity with RPMThe RPM package management system includes the ability
to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the
package metadata stored in the RPM database. Although an attacker
could corrupt the RPM database (analogous to attacking the AIDE
database as described above), this check can still reveal
modification of important files. To list which files on the system differ from what is expected by the RPM database:
# rpm -qVa
See the man page for rpm to see a complete explanation of each column.
Verify and Correct File Permissions with RPM
The RPM package management system can check file access
permissions of installed software packages, including many that are
important to system security.
After locating a file with incorrect permissions, run the following command to determine which package owns it:
# rpm -qf FILENAME
Next, run the following command to reset its permissions to
the correct values:
# rpm --setperms PACKAGENAMEAC-6CM-6(d)CM-6(3)149314941495
Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.
The following command will list which files on the system have permissions different from what
is expected by the RPM database:
# rpm -Va | grep '^.M'Verify File Hashes with RPMThe RPM package management system can check the hashes of
installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
# rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
# rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command:
yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command:
rpm -Uvh PACKAGENAMECM-6(d)CM-6(3)SI-71496
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system. The following command will list which files on the system
have file hashes different from what is expected by the RPM database.
# rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'Additional Security Software
Additional security software that is not provided or supported
by Red Hat can be installed to provide complementary or duplicative
security capabilities to those provided by the base platform. Add-on
software may not be appropriate for some specialized systems.
Install Intrusion Detection Software
The Red Hat platform includes a sophisticated auditing system
and SELinux, which provide host-based intrusion detection capabilities.
SC-71263
Host-based intrusion detection tools provide a system-level defense when an
intruder gains access to a system or network.
Inspect the system to determine if intrusion detection software has been installed.
Verify this intrusion detection software is active.
Install Virus Scanning Software
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem.
The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.
Ensure virus definition files are no older than 7 days, or their last release.
Configure the virus scanning software to perform scans dynamically on all
accessed files. If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.
SC-28SI-312391668
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems.
Inspect the system for a cron job or system service which executes
a virus scanning tool regularly.
To verify the McAfee VSEL system service is operational,
run the following command:
# /etc/init.d/nails status
To check on the age of uvscan virus definition files, run the following command:
# cd /opt/NAI/LinuxShield/engine/dat
# ls -la avvscan.dat avvnames.dat avvclean.datFile Permissions and MasksTraditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access.
Restrict Partition Mount OptionsSystem partitions can be mounted with certain options
that limit what files on those partitions can do. These options
are set in the /etc/fstab configuration file, and can be
used to make certain types of malicious behavior more difficult.Removable PartitionThis value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,
and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from
removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable
partitions that are required on the local system./dev/cdromAdd nodev Option to Non-Root Local PartitionsThe nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any non-root local partitions.
CM-7The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems.Add nodev Option to Removable Media PartitionsThe nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
AC-19(a)AC-19(d)AC-19(e)CM-7MP-2The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems.Add noexec Option to Removable Media PartitionsThe noexec mount option prevents the direct
execution of binaries on the mounted filesystem.
Preventing the direct execution of binaries from removable media (such as a USB
key) provides a defense against malicious software that may be present on such
untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
AC-19(a)AC-19(d)AC-19(e)CM-7MP-287Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise.
To verify that binaries cannot be directly executed from removable media, run the following command:
$ grep -v noexec /etc/fstab
The resulting output will show partitions which do not have the noexec flag. Verify all partitions
in the output are not removable media.
Add nosuid Option to Removable Media PartitionsThe nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions.
AC-19(a)AC-19(d)AC-19(e)CM-7MP-2The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.Add nodev Option to /tmp
The nodev mount option can be used to prevent device files from
being created in /tmp.
Legitimate character and block devices should not exist
within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.
CM-7MP-2The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.Add noexec Option to /tmpThe noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.
CM-7MP-2Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise.Add nosuid Option to /tmpThe nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp.
CM-7MP-2The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.Add nodev Option to /dev/shmThe nodev mount option can be used to prevent creation
of device files in /dev/shm.
Legitimate character and block devices should not exist
within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.
CM-7MP-2The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails.Add noexec Option to /dev/shmThe noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.
CM-7MP-2Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise.Add nosuid Option to /dev/shmThe nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm.
CM-7MP-2The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.Bind Mount /var/tmp To /tmpThe /var/tmp directory is a world-writable directory.
Bind-mount it to /tmp in order to consolidate temporary storage into
one location protected by the same techniques as /tmp. To do so, edit
/etc/fstab and add the following line:
/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0
See the mount(8) man page for further explanation of bind mounting.
CM-7Having multiple locations for temporary storage is not required. Unless absolutely
necessary to meet requirements, the storage location /var/tmp should be bind mounted to
/tmp and thus share the same protections.Restrict Dynamic Mounting and Unmounting of
FilesystemsLinux includes a number of facilities for the automated addition
and removal of filesystems on a running system. These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in /etc/modprobe.d.
Disable Modprobe Loading of USB Storage Driver
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install usb-storage /bin/true
This will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually.AC-19(a)AC-19(d)AC-19(e)125085USB storage devices such as thumb drives can be used to introduce
malicious software.echo "install usb-storage /bin/true" > /etc/modprobe.d/usb-storage.conf
If the system is configured to prevent the loading of the
usb-storage kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as
/bin/true) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf:
$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.dDisable Kernel Support for USB via Bootloader Configuration
All USB support can be disabled by adding the nousb
argument to the kernel's boot loader configuration. To do so,
append "nousb" to the kernel line in /etc/grub.conf as shown:
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousbWARNING: Disabling all kernel support for USB will cause problems for
systems with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.AC-19(a)AC-19(d)AC-19(e)1250Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.
Disable Booting from USB Devices in Boot FirmwareConfigure the system boot firmware (historically called BIOS on PC
systems) to disallow booting from USB drives.
AC-19(a)AC-19(d)AC-19(e)1250Booting a system from a USB device would allow an attacker to
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.Assign Password to Prevent Changes to Boot Firmware ConfigurationAssign a password to the system boot firmware (historically called BIOS on PC
systems) to require a password for any configuration changes.
Assigning a password to the system boot firmware prevents anyone
with physical access from configuring the system to boot
from local media and circumvent the operating system's access controls.
For systems in physically secure locations, such as
a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed
against the risk of administrative personnel being unable to conduct recovery operations in
a timely fashion.
Disable the AutomounterThe autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl disable autofs.serviceAC-19(a)AC-19(d)AC-19(e)125085Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
To check that the autofs service is disabled in system boot configuration, run the following command:
$ sudo chkconfig autofs --list
Output should indicate the autofs service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo chkconfig autofs --list
autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Run the following command to verify autofs is disabled through current runtime configuration:
$ sudo service autofs status
If the service is disabled the command will return the following output:
autofs is stoppedDisable GNOME3 AutomountingThe system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3,
the automount, automount-open, and autorun-never settings must be set
under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
AC-19(a)AC-19(d)AC-19(e)Disabling automatic mounting in GNOME3 can prevent
the introduction of malware via removable media.
It will, however, also prevent desktop users from legitimate use
of removable media.
These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.media-handling automount
$ gsettings get org.gnome.desktop.media-handling automount-open
$ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for automount should be false.
If properly configured, the output for automount-openshould be false.
If properly configured, the output for autorun-never should be true.
To ensure that users cannot enable automount and autorun in GNOME3, run the following:
$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open
If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-neverDisable Mounting of cramfs
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable Mounting of freevxfs
To configure the system to prevent the freevxfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install freevxfs /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable Mounting of jffs2
To configure the system to prevent the jffs2
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install jffs2 /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable Mounting of hfs
To configure the system to prevent the hfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install hfs /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable Mounting of hfsplus
To configure the system to prevent the hfsplus
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install hfsplus /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable Mounting of squashfs
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install squashfs /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable Mounting of udf
To configure the system to prevent the udf
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install udf /bin/true
This effectively prevents usage of this uncommon filesystem.
CM-7Linux kernel modules which implement filesystems that are not needed by the
local system should be disabled.Disable All GNOME3 ThumbnailersThe system's default desktop environment, GNOME3, uses
a number of different thumbnailer programs to generate thumbnails
for any new or modified content in an opened folder. To disable the
execution of these thumbnail applications, the disable-all setting must be set
under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
This effectively prevents an attacker from gaining access to a
system through a flaw in GNOME3's Nautilus thumbnail creators.
CM-7An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious
file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem
(via a web upload for example) and assuming a user browses the same location using Nautilus, the
malicious file would exploit the thumbnailer with the potential for malicious code execution. It
is best to disable these thumbnailer applications unless they are explicitly required.
These settings can be verified by running the following:
$ gsettings get org.gnome.desktop.thumbnailers disable-all
If properly configured, the output should be true.
To ensure that users cannot how long until the the screensaver locks, run the following:
$ grep disable-all /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-allVerify File Permissions Within Some Important DirectoriesSome directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time,
particularly if unpackaged software is installed. As such, an argument exists
to verify that files' permissions within these directories remain configured
correctly and restrictively.
Shared Library Files Have Restrictive PermissionsSystem-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in
/lib/modules. All files in these directories should not be
group-writable or world-writable. If any file in these directories is found to
be group-writable or world-writable, correct its permission with the following
command:
# chmod go-w FILEAC-61499Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the
system.
Shared Library Files Have Root OwnershipSystem-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also
stored in /lib/modules. All files in these directories should be owned
by the root user. If the directory, or any file in these directories,
is found to be owned by a user other than root correct its ownership with the
following command:
# chown root FILEAC-61499Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.
System Executables Have Restrictive Permissions
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable.
If any file FILE in these directories is found to be group-writable or
world-writable, correct its permission with the following command:
# chmod go-w FILEAC-61499System binaries are executed by privileged users, as well as system
services, and restrictive permissions are necessary to ensure execution of
these programs cannot be co-opted.
System Executables Have Root Ownership
System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If
any file FILE in these directories is found to be owned by a user other
than root, correct its ownership with the following command:
# chown root FILEAC-61499System binaries are executed by privileged users as well as system
services, and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
Restrict Programs from Dangerous Execution PatternsThe recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs.Daemon UmaskThe umask is a per-process setting which limits
the default permissions for creation of new files and directories.
The system includes initialization scripts which set the default umask
for system daemons.
daemon umaskEnter umask for daemons022022027Set Daemon UmaskThe file /etc/init.d/functions includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
umask for daemons, edit the following line, inserting 022 or 027 for
UMASK appropriately:
umask
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves to
a umask of 077 in their own init scripts.
AC-6The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.
To check the value of the umask, run the following command:
$ grep umask /etc/init.d/functions
The output should show either 022 or 027.
Disable Core DumpsA core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
Once a hard limit is set in /etc/security/limits.conf, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the limits.conf man page for more
information.
The core dumps of setuid programs are further protected. The
sysctl variable fs.suid_dumpable controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.Disable Core Dumps for All UsersTo disable core dumps for all users, add the following line to
/etc/security/limits.conf:
* hard core 0SC-5A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.
To verify that core dumps are disabled for all users, run the following command:
$ grep core /etc/security/limits.conf
The output should be:
* hard core 0Disable Core Dumps for SUID programs
To set the runtime status of the fs.suid_dumpable kernel parameter,
run the following command:
$ sudo sysctl -w fs.suid_dumpable=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
fs.suid_dumpable = 0SI-11The core dump of a setuid program is more likely to contain
sensitive data, as the program itself runs with greater privileges than the
user who initiated execution of the program. Disabling the ability for any
setuid program to write a core file decreases the risk of unauthorized access
of such data.
The status of the fs.suid_dumpable kernel parameter can be queried
by running the following command:
$ sysctl fs.suid_dumpable
The output of the command should indicate a value of 0.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
/etc/sysctl.conf.
Enable ExecShieldExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default
on 32-bit systems and controlled through sysctl variables
kernel.exec-shield and kernel.randomize_va_space. On the latest
64-bit systems, kernel.exec-shield cannot be enabled or disabled with
sysctl.
Enable ExecShieldBy default on Fedora 64-bit systems, ExecShield
is enabled and can only be disabled if the hardware does not support ExecShield
or is disabled in /etc/default/grub. For Fedora
32-bit systems, sysctl can be used to enable ExecShield.SC-392530ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range. This is enabled by default on the latest Red Hat and Fedora
systems if supported by the hardware.
To verify ExecShield is enabled on 64-bit Fedora systems,
run the following command:
$ dmesg | grep '[NX|DX]*protection'
The output should not contain 'disabled by kernel command line option'.
To verify that ExecShield has not been disabled in the kernel configuration,
run the following command:
$ sudo grep noexec /boot/grub2/grub.cfg
The output should not return noexec=off.
For 32-bit Fedora systems, run the following command:
$ sysctl kernel.exec-shield
The output should be:
To set the runtime status of the kernel.exec-shield kernel parameter,
run the following command:
$ sudo sysctl -w kernel.exec-shield=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.exec-shield = 1Enable Randomized Layout of Virtual Address Space
To set the runtime status of the kernel.randomize_va_space kernel parameter,
run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.randomize_va_space = 2SC-30(2) Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation. Additionally, ASLR
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.
The status of the kernel.randomize_va_space kernel parameter can be queried
by running the following command:
$ sysctl kernel.randomize_va_space
The output of the command should indicate a value of 2.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
/etc/sysctl.conf.
Enable Execute Disable (XD) or No Execute (NX) Support on
x86 SystemsRecent processors in the x86 family support the
ability to prevent code execution on a per memory page basis.
Generically and on AMD processors, this ability is called No
Execute (NX), while on Intel processors it is called Execute
Disable (XD). This ability can help prevent exploitation of buffer
overflow vulnerabilities and should be activated whenever possible.
Extra steps must be taken to ensure that this protection is
enabled, particularly on 32-bit x86 systems. Other processors, such
as Itanium and POWER, have included such support since inception
and the standard kernel for those platforms supports the
feature. This is enabled by default on the latest Red Hat and
Fedora systems if supported by the hardware.Install PAE Kernel on Supported 32-bit x86 SystemsSystems that are using the 64-bit x86 kernel package
do not need to install the kernel-PAE package because the 64-bit
x86 kernel already includes this support. However, if the system is
32-bit and also supports the PAE and NX features as
determined in the previous section, the kernel-PAE package should
be installed to enable XD or NX support:
$ sudo yum install kernel-PAE
The installation process should also have configured the
bootloader to load the new kernel at boot. Verify this at reboot
and modify /etc/default/grub if necessary.The kernel-PAE package should not be
installed on older systems that do not support the XD or NX bit, as
this may prevent them from booting.CM-6(b)On 32-bit systems that support the XD or NX bit, the vendor-supplied
PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support.Enable NX or XD Support in the BIOSReboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems.CM-6(b)Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.Restrict Access to Kernel Message Buffer
To set the runtime status of the kernel.dmesg_restrict kernel parameter,
run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
If this is not the system's default value, add the following line to /etc/sysctl.conf:
kernel.dmesg_restrict = 1SI-111314Unprivileged access to the kernel syslog can expose sensitive kernel
address information.
The status of the kernel.dmesg_restrict kernel parameter can be queried
by running the following command:
$ sysctl kernel.dmesg_restrict
The output of the command should indicate a value of 1.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
/etc/sysctl.conf.
Account and Access ControlIn traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under Fedora.
Protect Accounts by Restricting Password-Based LoginConventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the /etc/passwd and
/etc/shadow files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.Restrict Root Logins
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use su or sudo to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The login program
uses the file /etc/securetty to determine which interfaces
should allow root logins.
The virtual devices /dev/console
and /dev/tty* represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains /dev/vc/*.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Furthermore, /dev/hvc* represent virtio-serial
consoles, /dev/hvsi* IBM pSeries serial consoles, and finally
/dev/xvc0 Xen virtual console. Root should also be prohibited
from connecting via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
Direct root Logins Not AllowedTo further limit access to the root account, administrators
can disable root logins at the console by editing the /etc/securetty file.
This file lists all devices the root user is allowed to login to. If the file does
not exist at all, the root user can login through any communication device on the
system, whether via the console or via a raw network interface. This is dangerous
as user can login to his machine as root via Telnet, which sends the password in
plain text over the network. By default, Fedora's /etc/securetty file
only allows the root user to login at the console physically attached to the
machine. To prevent root from logging in, remove the contents of this file.
To prevent direct root logins, remove the contents of this file by typing the
following command:
echo > /etc/securetty
IA-2(1)
Disabling direct root logins ensures proper accountability and multifactor
authentication to privileged accounts. Users will first login, then escalate
to privileged (root) access via su / sudo. This scenario is nowadays required
by security standards.
echo > /etc/securetty
To ensure root may not directly login to the system over physical consoles,
run the following command:
cat /etc/securetty
If any output is returned, this is a finding.
Virtual Console Root Logins Restricted
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/4AC-6(2)770
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
sed -i '/^vc\//d' /etc/securetty
To check for virtual console entries which permit root login, run the
following command:
# grep ^vc/[0-9] /etc/securetty
If any output is returned, then root logins over virtual console devices is permitted.
Serial Port Root Logins RestrictedTo restrict root logins on serial ports,
ensure lines of this form do not appear in /etc/securetty:
ttyS0
ttyS1AC-6(2)770
Preventing direct root login to serial port interfaces
helps ensure accountability for actions taken on the systems
using the root account.
sed -i '/ttyS/d' /etc/securetty
To check for serial port entries which permit root login,
run the following command:
# grep ^ttyS/[0-9] /etc/securetty
If any output is returned, then root login over serial ports is permitted.
Web Browser Use for Administrative Accounts Restricted
Enforce policy requiring administrative accounts use web browsers only for
local service administration.
If a browser vulnerability is exploited while running with administrative privileges,
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.
Check the root home directory for a .mozilla directory. If
one exists, ensure browsing is limited to local service administration.
System Accounts Do Not Run a Shell Upon Login
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
function. Should an attacker be able to log into these accounts,
they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line
in /etc/passwd. System accounts are those user accounts with a user ID less than
500. The user ID is stored in the third field.
If any system account SYSACCT (other than root) has a login shell,
disable it with the command:
# usermod -s /sbin/nologin SYSACCT
Do not perform the steps in this
section on the root account. Doing so might cause the system to
become inaccessible.
AC-2CM-6(b)178
Ensuring shells are not given to system accounts upon login
makes it more difficult for attackers to make use of
system accounts.
To obtain a listing of all users,
their UIDs, and their shells, run the command:
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will
primarily be the accounts with UID numbers less than 500, other
than root.
Only Root Has UID 0
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
AC-6IA-2(1)366
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
To list all password file entries for accounts with UID 0, run the following command:
# awk -F: '($3 == "0") {print}' /etc/passwd
This should print only one line, for the user root.
Root Path Is Vendor Default
Assuming root shell is bash, edit the following files:
~/.profile~/.bashrc
Change any PATH variables to the vendor default for root and remove any
empty PATH entries or references to relative paths.
The root account's executable search path must be the vendor default, and must
contain only absolute paths.
To view the root user's PATH, run the following command:
# env | grep PATH
If correctly configured, the PATH must: use vendor default settings,
have no empty entries, and have no entries beginning with a character
other than a slash (/).
Proper Storage and Existence of Password Hashes
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
/etc/shadow. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as /etc/passwd, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
Log In to Accounts With Empty Password ImpossibleIf an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the nullok
option in /etc/pam.d/system-auth to
prevent logins with empty passwords.
IA-5(b)IA-5(c)IA-5(1)(a)
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational
environments.
To verify that null passwords cannot be used, run the following command:
# grep nullok /etc/pam.d/system-auth
If this produces any output, it may be possible to log into accounts
with empty passwords.
Password Hashes For Each Account Shadowed
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
IA-5(h)201
The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd,
which is readable by all users.
To check that no password hashes are stored in
/etc/passwd, run the following command:
# awk -F: '($2 != "x") {print}' /etc/passwd
If it produces any output, then a password hash is
stored in /etc/passwd.
All GIDs referenced in /etc/passwd Defined in /etc/group
Add a group to the system for each GID referenced without a corresponding group.
366
Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.
To ensure all GIDs referenced in /etc/passwd are defined in /etc/group,
run the following command:
# pwck -qr
There should be no output.
netrc Files Do Not ExistThe .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed.
IA-5(h)196
Unencrypted passwords for remote FTP servers may be stored in .netrc
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
To check the system for the existence of any .netrc files,
run the following command:
# find /home -xdev -name .netrcSet Password Expiration ParametersThe file /etc/login.defs controls several
password-related settings. Programs such as passwd,
su, and login consult /etc/login.defs to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page login.defs(5) for more information.
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
PASS_MAX_DAYS and apply it to existing accounts with the
-M flag.
The PASS_MIN_DAYS (-m) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The PASS_WARN_AGE (-W) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
For example, for each existing human user USER, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
# chage -M 180 -m 7 -W 7 USERminimum password lengthMinimum number of characters in passwordThis will only check new passwords1268101214maximum password ageMaximum age of password in daysThis will only apply to newly created accounts606090120180minimum password ageMinimum age of password in daysThis will only apply to newly created accounts775120warning days before password expiresThe number of days' warning given before a password expires.This will only apply to newly created accounts70714Password Minimum LengthTo specify password length requirements for new accounts,
edit the file /etc/login.defs, locate the following line:
PASS_MIN_LEN LENGTH
and correct it to have the form of:
PASS_MIN_LEN
Nowadays recommended values, considered as secure by various organizations
focused on topic of computer security, range from 12 (FISMA) up to
14 (DoD) characters for password length requirements.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
IA-5(f)IA-5(1)(a)205
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or
counterproductive behavior that may result.
var_accounts_password_minlen_login_defs=""
grep -q ^PASS_MIN_LEN /etc/login.defs && \
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs
fi
To check the minimum password length, run the command:
$ grep PASS_MIN_LEN /etc/login.defs
Passwords of length 12 characters and more are nowadays
considered to be a standard requirement.
Password Minimum AgeTo specify password minimum age for new accounts,
edit the file /etc/login.defs, locate the following line:
PASS_MIN_DAYS DAYS
and correct it to have the form of:
PASS_MIN_DAYS
A value greater than 1 day is considered to be sufficient for many environments.
IA-5(f)IA-5(1)(d)198
Setting the minimum password age protects against users cycling
back to a favorite password after satisfying the password reuse
requirement.
var_accounts_minimum_age_login_defs=""
grep -q ^PASS_MIN_DAYS /etc/login.defs && \
sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs
fi
To check the minimum password age, run the command:
$ grep PASS_MIN_DAYS /etc/login.defs
A value greater than 1 day is considered to be sufficient for many environments.
Password Maximum AgeTo specify password maximum age for new accounts,
edit the file /etc/login.defs, locate the following line:
PASS_MAX_DAYS DAYS
and correct it to have the form of:
PASS_MAX_DAYS
A value less than 180 days is sufficient for many environments.
IA-5(f)IA-5(g)IA-5(1)(d)180199
Setting the password maximum age ensures users are required to
periodically change their passwords. This could possibly decrease
the utility of a stolen password. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.var_accounts_maximum_age_login_defs=""
grep -q ^PASS_MAX_DAYS /etc/login.defs && \
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
fi
To check the maximum password age, run the command:
$ grep PASS_MAX_DAYS /etc/login.defs
A value less than 180 days is sufficient for many environments.
Password Warning AgeTo specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs, locate the following line:
PASS_WARN_AGE DAYS
and correct it to have the form of:
PASS_WARN_AGE
A value of 7 days would be nowadays considered to be a standard.
IA-5(f)
Setting the password warning age enables users to make the change
at a practical time.
var_accounts_password_warn_age_login_defs=""
grep -q ^PASS_WARN_AGE /etc/login.defs && \
sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]
then
echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs
fi
To check the password warning age, run the command:
$ grep PASS_WARN_AGE /etc/login.defs
A value of 7 days would be nowadays considered to be a standard.
Set Account Expiration ParametersAccounts can be configured to be automatically disabled
after a certain time period,
meaning that they will require administrator interaction to become usable again.
Expiration of accounts after inactivity can be set for all accounts by default
and also on a per-account basis, such as for accounts that are known to be temporary.
To configure automatic expiration of an account following
the expiration of its password (that is, after the password has expired and not been changed),
run the following command, substituting NUM_DAYS and USER appropriately:
$ sudo chage -I NUM_DAYS USER
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the
-E option.
The file /etc/default/useradd controls
default settings for all newly-created accounts created with the system's
normal command line utilities.
number of days after a password expires until the account is permanently disabledThe number of days to wait after a password expires, until the account will be permanently disabled.This will only apply to newly created accounts3530356090180Set Account Expiration Following InactivityTo specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in /etc/default/useradd, substituting
NUM_DAYS appropriately:
INACTIVE=UNDEFINED_SUB
A value of 35 is recommended.
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
useradd man page for more information. Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
AC-2(2)AC-2(3)1617795
Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.
CCE-TBD
To verify the INACTIVE setting, run the following command:
grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set
to an appropriate integer as shown in the example below:
$ sudo grep "INACTIVE" /etc/default/useradd
INACTIVE=UNDEFINED_SUBEnsure All Accounts on the System Have Unique Names
Change usernames, or delete accounts, so each has a unique name.
770804
Unique usernames allow for accountability on the system.
Run the following command to check for duplicate account names:
$ sudo pwck -qr
If there are no duplicate names, no line will be returned.
Assign Expiration Date to Temporary Accounts
Temporary accounts are established as part of normal account activation procedures
when there is a need for short-term accounts. In the event temporary
or emergency accounts are required, configure the system to terminate
them after a documented time period. For every temporary and
emergency account, run the following command to set an expiration date on it,
substituting USER and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD USERYYYY-MM-DD indicates the documented expiration date for the account.
For U.S. Government systems, the operating system must be configured to automatically terminate
these typoes of accounts after a period of 72 hours.
AC-2(2)AC-2(3)1616822
If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
CCE-27498-5
For every temporary and emergency account, run the following command
to obtain its account aging and expiration information:
$ sudo chage -l USER
Verify each of these accounts has an expiration date set as documented.
Secure Session Configuration Files for Login AccountsWhen a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators.Maximum concurrent login sessionsMaximum number of concurrent sessions by a user1135101520Limit the Number of Concurrent Login Sessions Allowed Per User
Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf:
* hard maxlogins AC-1054Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions.
Run the following command to ensure the maxlogins value is configured for all users
on the system:
$ grep "maxlogins" /etc/security/limits.conf
You should receive output similar to the following:
* hard maxlogins Ensure that No Dangerous Directories Exist in Root's PathThe active path of the root account can be obtained by
starting a new root shell and running:
$ sudo echo $PATH
This will produce a colon-separated list of
directories in the path.
Certain path elements could be considered dangerous, as they could lead
to root executing unknown or
untrusted programs, which could contain malicious
code.
Since root may sometimes work inside
untrusted directories, the . character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
It is a good practice for administrators to always execute
privileged commands by typing the full path to the
command.Ensure that Root's Path Does Not Include Relative Paths or Null Directories
Ensure that none of the directories in root's path is equal to a single
. character, or
that it contains any instances that lead to relative path traversal, such as
.. or beginning a path without the slash (/) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.
CM-6(b)366
Including these entries increases the risk that root could
execute code from an untrusted location.
Ensure that Root's Path Does Not Include World or Group-Writable Directories
For each element in root's path, run:
$ sudo ls -ld DIR
and ensure that write permissions are disabled for group and
other.
CM-6(b)366
Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.
To ensure write permissions are disabled for group and other
for each element in root's path, run the following command:
$ sudo ls -ld DIREnsure that User Home Directories are not Group-Writable or World-ReadableFor each human user of the system, view the
permissions of the user's home directory:
$ sudo ls -ld /home/USER
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
$ sudo chmod g-w /home/USER
$ sudo chmod o-rwx /home/USERThis action may involve
modifying user home directories. Notify your user community, and
solicit input if appropriate, before making this type of
change.AC-6(7)225
User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have
write permission to another user's home directory. Group shared
directories can be configured in sub-directories or elsewhere in the
filesystem if they are needed. Typically, user home directories
should not be world-readable, as it would disclose file names
to other users. If a subset of users need read access
to one another's home directories, this can be provided using
groups or ACLs.
To ensure the user home directory is not group-writable or world-readable, run the following:
$ sudo ls -ld /home/USEREnsure that Users Have Sensible Umask Values
The umask setting controls the default permissions
for the creation of new files.
With a default umask setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a umask of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a umask of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
Sensible umaskEnter default user umask027007022027077Ensure the Default Bash Umask is Set Correctly
To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask SA-8366The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
Verify the umask setting is configured correctly in the /etc/bashrc file by
running the following command:
$ grep "umask" /etc/bashrc
All output must show the value of umask set as shown below:
$ grep "umask" /etc/bashrc
umask
umask Ensure the Default C Shell Umask is Set Correctly
To ensure the default umask for users of the C shell is set properly,
add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask SA-8366The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
Verify the umask setting is configured correctly in the /etc/csh.cshrc file by
running the following command:
$ grep "umask" /etc/csh.cshrc
All output must show the value of umask set as shown in the below:
$ grep "umask" /etc/csh.cshrc
umask Ensure the Default Umask is Set Correctly in /etc/profile
To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask SA-8366The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
Verify the umask setting is configured correctly in the /etc/profile file by
running the following command:
$ grep "umask" /etc/profile
All output must show the value of umask set as shown in the below:
$ grep "umask" /etc/profile
umask Ensure the Default Umask is Set Correctly in login.defs
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK SA-8366The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.
Verify the UMASK setting is configured correctly in the /etc/login.defs file by
running the following command:
$ grep -i "UMASK" /etc/login.defs
All output must show the value of umask set as shown in the below:
$ grep -i "UMASK" /etc/login.defs
umask Protect Accounts by Configuring PAMPAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
PAM looks in the directory /etc/pam.d for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file /etc/pam.d/login
to determine what actions should be taken.
One very important file in /etc/pam.d is
/etc/pam.d/system-auth. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.Be careful when making changes to PAM's
configuration files. The syntax for these files is complex, and
modifications can have unexpected consequences. The default
configurations shipped with applications should be sufficient for
most users.Running authconfig or
system-config-authentication will re-write the PAM configuration
files, destroying any manually made changes and replacing them with
a series of system defaults. One reference to the configuration
file syntax can be found at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html.rememberThe last n passwords for each user are saved in
/etc/security/opasswd in order to force password change history and
keep the user from alternating between the same password too
frequently.240451024Set Last Logon/Access NotificationTo configure the system to notify users of last logon/access
using pam_lastlog, add or correct the pam_lastlog settings in
/etc/pam.d/postlogin to read as follows:
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed53
Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
To ensure that last logon/access notification is configured correctly, run
the following command:
$ grep pam_lastlog.so /etc/pam.d/postlogin
The output should show output showfailed.
Set Password Quality RequirementsThe default pam_pwquality PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes. The
pam_pwquality module is the preferred way of configuring
password requirements.
The pam_cracklib PAM module can also provide strength
checking for passwords as the pam_pwquality module.
It performs a number of checks, such as making sure passwords are
not similar to dictionary words, are of at least a certain length,
are not the previous password reversed, and are not simply a change
of case from the previous password. It can also require passwords to
be in certain character classes.
The man pages pam_pwquality(8) and pam_cracklib(8)
provide information on the capabilities and
configuration of each.Set Password Quality Requirements with pam_pwqualityThe pam_pwquality PAM module can be configured to meet
requirements for a variety of policies.
For example, to configure pam_pwquality to require at least one uppercase
character, lowercase character, digit, and other (special)
character, make sure that pam_pwquality exists in /etc/pam.d/system-auth:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
Next, modify the settings in /etc/security/pwquality.conf to match the following:
difok = 4
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
Note that the password quality
requirements are not enforced for the root account for some
reason.retryNumber of retry attempts before erroring out3123maxrepeatMaximum Number of Consecutive Repeating Characters in a Password3123minlenMinimum number of characters in password1567810121415dcreditMinimum number of digits in password-1-2-10ocreditMinimum number of other (special characters) in
password-1-2-10lcreditMinimum number of lower case in password-1-2-10ucreditMinimum number of upper case in password-1-2-10difokMinimum number of characters not present in old
passwordKeep this high for short
passwords15234515minclassMinimum number of categories of characters that must exist in a password31234fail_denyNumber of failed login attempts before account lockout335610fail_unlock_timeSeconds before automatic unlocking after excessive failed logins6048009001800360086400604800fail_intervalInterval for counting failed login attempts before account lockout9009001800360086400100000000Set Password Retry Prompts Permitted Per-SessionTo configure the number of retry prompts that are permitted per-session:
Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to
show retry=, or a lower value if site policy is more restrictive.
The DoD requirement is a maximum of 3 prompts per session.
IA-5(c)
Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module.
To check how many retry attempts are permitted on a per-session basis, run the following command:
$ grep pam_pwquality /etc/pam.d/system-auth
The retry parameter will indicate how many attempts are permitted.
The DoD required value is less than or equal to 3.
This would appear as retry=3, or a lower value.
Set Password to Maximum of Three Consecutive Repeating CharactersThe pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters.
IA-5(c)366
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
To check the maximum value for consecutive repeating characters, run the following command:
$ grep maxrepeat /etc/security/pwquality.conf
Look for the value of the maxrepeat parameter. The DoD requirement is 3 which would
appear as maxrepeat = 3.
Set Password Strength Minimum Digit CharactersThe pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords.
IA-5(b)IA-5(c)194
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
To check how many digits are required in a password, run the following command:
$ grep dcredit /etc/security/pwquality.conf
The dcredit parameter (as a negative number) will indicate how many digits are required.
The DoD requires at least one digit in a password. This would appear as dcredit = -1.
Set Password Minimum LengthThe pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=
after pam_pwquality to set minimum password length requirements.
IA-5(1)(a)20578
Password length is one factor of several that helps to determine
strength and how long it takes to crack a password. Use of more characters in
a password helps to exponentially increase the time and/or resources
required to compromise the password.
To check how many characters are required in a password, run the following command:
$ grep minlen /etc/security/pwquality.conf
Your output should contain minlen = Set Password Strength Minimum Uppercase CharactersThe pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords.
IA-5(b)IA-5(c)IA-5(1)(a)
Requiring a minimum number of uppercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
To check how many uppercase characters are required in a password, run the following command:
$ grep ucredit /etc/security/pwquality.conf
The ucredit parameter (as a negative number) will indicate how many uppercase characters are required.
The DoD and FISMA require at least one uppercase character in a password.
This would appear as ucredit = -1.
Set Password Strength Minimum Special CharactersThe pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number, any password will be
required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting in
/etc/security/pwquality.conf to equal to require use of a special character in passwords.
IA-5(b)IA-5(c)IA-5(1)(a)
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
To check how many special characters are required in a password, run the following command:
$ grep ocredit /etc/security/pwquality.conf
The ocredit parameter (as a negative number) will indicate how many special characters are required.
The DoD and FISMA require at least one special character in a password.
This would appear as ocredit = -1.
Set Password Strength Minimum Lowercase CharactersThe pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords.
IA-5(b)IA-5(c)IA-5(1)(a)
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
To check how many lowercase characters are required in a password, run the following command:
$ grep lcredit /etc/security/pwquality.conf
The lcredit parameter (as a negative number) will indicate how many special characters are required.
The DoD and FISMA require at least one lowercase character in a password.
This would appear as lcredit = -1.
Set Password Strength Minimum Different CharactersThe pam_pwquality module's difok parameter controls requirements for usage of different
characters during a password change. Modify the difok setting in /etc/security/pwquality.conf
to equal to require differing characters when changing passwords. The DoD requirement is 4.
IA-5(b)IA-5(c)IA-5(1)(b)
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.
To check how many characters must differ during a password change, run the following command:
$ grep difok /etc/security/pwquality.conf
The difok parameter will indicate how many characters must differ. The DoD requires four characters
differ during a password change. This would appear as difok = 4.
Set Password Strength Minimum Different CategoriesThe pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require
differing categories of characters when changing passwords. The minimum requirement is 3.
Requiring a minimum number of character categories makes password guessing attacks
more difficult by ensuring a larger search space.
To check how many categories of characters must be used in password during a password change,
run the following command:
$ grep minclass /etc/security/pwquality.conf
The minclass parameter will indicate how many character classes must be used. If
the requirement was for the password to contain characters from three different categories,
then this would appear as minclass = 3.
Set Lockouts for Failed Password AttemptsThe pam_faillock PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
/usr/share/doc/pam-VERSION/txts/README.pam_faillock.
Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks.Set Deny For Failed Password Attempts
To configure the system to lock out accounts after a number of incorrect login
attempts using pam_faillock.so, modify the content of both
/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.soAC-7(a)
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
To ensure the failed password attempt policy is configured correctly, run the following command:
$ grep pam_faillock /etc/pam.d/system-auth
The output should show deny=.
Set Lockout Time For Failed Password Attempts
To configure the system to lock out accounts after a number of incorrect login
attempts and require an administrator to unlock the account using pam_faillock.so,
modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.soAC-7(b)47
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks. Ensuring that an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
To ensure the failed password attempt policy is configured correctly, run the following command:
$ grep pam_faillock /etc/pam.d/system-auth
The output should show unlock_time=<some-large-number>.
Set Interval For Counting Failed Password Attempts
Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login
attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
add the following line immediately before the pam_unix.so statement in the AUTH section:
auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section:
auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
account required pam_faillock.soAC-7(a)1452
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
To ensure the failed password attempt policy is configured correctly, run the following command:
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is
or greater.
If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable.
Limit Password ReuseDo not allow users to reuse recent passwords. This can be
accomplished by using the remember option for the pam_unix
or pam_pwhistory PAM modules. In the file
/etc/pam.d/system-auth, append remember=
to the line which refers to the pam_unix.so or
pam_pwhistory.somodule, as shown below:
for the pam_unix.so case:
password sufficient pam_unix.so existing_options remember=for the pam_pwhistory.so case:
password requisite pam_pwhistory.so existing_options remember=IA-5(f)IA-5(1)(e)
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
To verify the password reuse setting is compliant, run the following command:
$ grep remember /etc/pam.d/system-auth
The output should show the following at the end of the line:
remember=Set Password Hashing AlgorithmThe system's default algorithm for storing password hashes in
/etc/shadow is SHA-512. This can be configured in several
locations.Set Password Hashing Algorithm in /etc/pam.d/system-auth
In /etc/pam.d/system-auth, the password section of
the file controls which PAM modules execute during a password change.
Set the pam_unix.so module in the
password section to include the argument sha512, as shown below:
password sufficient pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
IA-5(b)IA-5(c)IA-5(1)(c)IA-7
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Inspect the password section of /etc/pam.d/system-auth and
ensure that the pam_unix.so module includes the argument
sha512:
$ grep sha512 /etc/pam.d/system-authSet Password Hashing Algorithm in /etc/login.defs
In /etc/login.defs, add or correct the following line to ensure
the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512IA-5(b)IA-5(c)IA-5(1)(c)IA-7
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Inspect /etc/login.defs and ensure the following line appears:
ENCRYPT_METHOD SHA512Set Password Hashing Algorithm in /etc/libuser.conf
In /etc/libuser.conf, add or correct the following line in its
[defaults] section to ensure the system will use the SHA-512
algorithm for password hashing:
crypt_style = sha512IA-5(b)IA-5(c)IA-5(1)(c)IA-7
Using a stronger hashing algorithm makes password cracking attacks more difficult.
Inspect /etc/libuser.conf and ensure the following line appears
in the [default] section:
crypt_style = sha512Protect Physical Console AccessIt is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console.Set Boot Loader PasswordDuring the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Fedora boot loader for x86 systems is called GRUB2.
Options it can pass to the kernel include single-user mode, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.
Verify /boot/grub2/grub.cfg User OwnershipThe file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfgAC-6(7)225
Only root should be able to modify important boot parameters.
To check the ownership of /boot/grub2/grub.cfg, run the command:
$ ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following owner:
rootVerify /boot/grub2/grub.cfg Group OwnershipThe file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfgAC-6(7)225
The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
To check the group ownership of /boot/grub2/grub.cfg, run the command:
$ ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following group-owner.
rootVerify /boot/grub2/grub.cfg PermissionsFile permissions for /boot/grub2/grub.cfg should be set to 600, which
is the default.
To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfgAC-6(7)225
Proper permissions ensure that only the root user can modify important boot
parameters.
To check the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following
permissions: -rw-------Set Boot Loader PasswordThe grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the
appropriate grub2 configuration file(s) under /etc/grub.d.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned
password hash into the appropriate grub2 configuration file(s) under
/etc/grub.d immediately after the superuser account.
(Use the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):
password_pbkdf2 superusers-accountpassword-hash
NOTE: It is recommended not to use common administrator account names like root,
admin, or administrator for the grub2 superuser account.
To meet FISMA Moderate, the bootloader superuser account and password MUST
differ from the root account and password.
Once the superuser account and password have been added, update the
grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
IA-2(1)IA-5(e)213
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. For more information on how to configure
the grub2 superuser account and password, please refer to
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html.
To verify the boot loader superuser account and superuser account password have
been set, and the password encrypted, run the following command:
sudo grep -A1 "superusers\|password" /etc/grub2.cfg
The output should show the following:
set superusers="superusers-account"
password_pbkdf2 superusers-accountpassword-hashRequire Authentication for Single User ModeSingle-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service.
IA-2(1)213
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
To check if authentication is required for single-user mode, run the following command:
$ grep sulogin /usr/lib/systemd/system/rescue.service
The output should be similar to the following, and the line must begin with
ExecStart and /sbin/sulogin:
ExecStart=-/sbin/suloginDisable Ctrl-Alt-Del Reboot Activation
By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
To ensure the system is configured to mask the Ctrl-Alt-Del sequence,
enter the following command:
sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
sudo systemctl mask ctrl-alt-del.targetDisable Interactive Boot
To disable the ability for users to perform interactive startups,
edit the file /etc/sysconfig/init.
Add or correct the line:
PROMPT=no
The PROMPT option allows the console user to perform an
interactive system startup, in which it is possible to select the
set of services which are started on boot.
SC-2213
Using interactive boot,
the console user could disable auditing, firewalls, or other
services, weakening system security.
To check whether interactive boot is disabled, run the following command:
$ grep PROMPT /etc/sysconfig/init
If interactive boot is disabled, the output will show:
PROMPT=noConfigure Screen LockingWhen a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.Configure GUI Screen LockingIn the default GNOME3 desktop, the screen can be locked
by selecting the user name in the far right corner of the main panel and
selecting Lock.
The following sections detail commands to enforce idle activation of the screensaver,
screen locking, a blank-screen screensaver, and an idle
activation time.
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup.
The root account can be screen-locked; however,
the root account should never be used
to log into an X Windows environment and should only be used to
for direct login via console in emergency circumstances.
For more information about enforcing preferences in the GNOME3 environment using the DConf
configuration system, see http://wiki.gnome.org/dconf and
the man page dconf(1). For Red Hat specific information on configuring DConf
settings, see https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/part-Configuration_and_Administration.htmlInactivity timeoutChoose allowed duration of inactive SSH connections, shells, and X sessions900300600900Set GNOME3 Screensaver Inactivity Timeout
To set the idle time-out value for inactivity in the GNOME3 desktop to 5 minutes (in seconds),
the idle-delay setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
AC-11(a)57
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
To check the current idle time-out value, run the following command:
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be .
To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delayEnable GNOME3 Screensaver Idle Activation
To activate the screensaver in the GNOME3 desktop after a period of inactivity,
the idle-activation-enabled setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
AC-11(a)57
Enabling idle activation of the screensaver ensures the screensaver will
be activated after the idle delay. Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.
To check the screensaver mandatory use status, run the following command:
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true.
To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabledEnable GNOME3 Screensaver Lock After Idle Period
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
the lock-enabled and lock-delay setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
AC-11(a)57
Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.
To check the status of the idle screen lock activation, run the following command:
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true.
To check that the screen locks when activated, run the following command:
$ gsettings get org.gnome.desktop.screensaver lock-delay
If properly configured, the output should be 0.
To ensure that users cannot change how long until the the screensaver locks, run the following:
$ grep 'lock-enabled\|lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delayImplement Blank Screensaver
To set the screensaver mode in the GNOME3 desktop to a blank screen,
the picture-uri setting must be set under an appropriate
configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
AC-11(b)60
Setting the screensaver mode to blank-only conceals the
contents of the display from passersby.
To ensure the screensaver is configured to be blank, run the following command:
$ gsettings get org.gnome.desktop.screensaver picture-uri
If properly configured, the output should be ''.
To ensure that users cannot set the screensaver background, run the following:
$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uriConfigure Console Screen Locking
A console screen locking mechanism is provided in the
screen package, which is not installed by default.
Install the screen Package
To enable console screen locking, install the screen package:
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command:
$ screen
The console can now be locked with the following key combination:
ctrl+a x58
Installing screen ensures a console locking capability is available
for users who may need to suspend console logins.
Run the following command to determine if the screen package is installed:
$ sudo rpm -q screenHardware Tokens for Authentication
The use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username/password.
In Fedora servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
Enable Smart Card Login
To enable smart card authentication, consult the documentation at:
https://docs.fedoraproject.org/docs/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html765766767768771772884Smart card login provides two-factor authentication stronger than
that provided by a username and password combination. Smart cards leverage PKI
(public key infrastructure) in order to provide and verify credentials.
Interview the SA to determine if all accounts not exempted by policy are
using CAC authentication.
Warning Banners for System AccessesEach system should expose as little information about
itself as possible.
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.Login Banner VerbiageEnter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.Modify the System Login Banner
To configure the system login banner:
Edit /etc/issue. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
The DoD required text is either:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject
to routine monitoring, interception, and search, and may be disclosed or used
for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls)
to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
OR:
I've read & consent to terms in IS user agreem't.AC-8(a)AC-8(b)AC-8(c)4813841385138613871388
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
To check if the system login banner is compliant,
run the following command:
$ cat /etc/issueImplement a GUI Warning BannerIn the default graphical environment, users logging
directly into the system are greeted with a login screen provided
by the GNOME3 Display Manager (GDM). The warning banner should be
displayed in this graphical environment for these users.
The following sections describe how to configure the GDM login
banner.
Enable GNOME3 Login Warning Banner
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, the banner-message-enable setting must be
set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
To display a banner, this setting must be enabled, and the user must be prevented
from making changes. The banner text must also be set.
AC-8(a)AC-8(b)AC-8(c)4850
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
To ensure a login warning banner is enabled, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/*
If properly configured, the output should be true.
To ensure a login warning banner is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable.
Set the GNOME3 Login Warning Banner Text
To set the text shown by the GNOME3 Display Manager
in the login screen, the banner-message-text setting must be set under an
appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory and locked
in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
When entering a warning banner that spans several lines, remember
to begin and end the string with ' and use \n for new lines.
AC-8(a)AC-8(b)AC-8(c)4813841385138613871388
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
To ensure the login warning banner text is properly set, run the following:
$ grep banner-message-text /etc/dconf/db/gdm.d/*
If properly configured, the proper banner text will appear.
To ensure the login warning banner text is locked and cannot be changed by a user, run the following:
$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text.
Disable the GNOME3 Login User ListIn the default graphical environment, users logging
directly into the system are greeted with a login screen that displays
all known users. This functionality should be disabled.
The disable-user-list setting must be
set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
After the settings have been set, run dconf update.
AC-23Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in.
To ensure the user list is disabled, run the following command:
$ grep disable-user-list /etc/dconf/db/gdm.d/*
The output should be true.
To ensure that users cannot enable displaying the user list, run the following:
$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-user-listNetwork Configuration and FirewallsMost machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.Disable Unused InterfacesNetwork interfaces expand the attack surface of the
system. Unused interfaces are not monitored or controlled, and
should be disabled.
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
ifcfg-interface except for ifcfg-lo from
/etc/sysconfig/network-scripts:
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.
The network service can be disabled with the following command:
$ sudo systemctl disable network.serviceDisable Zeroconf NetworkingZeroconf networking allows the system to assign itself an IP
address and engage in IP communication without a statically-assigned address or
even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not
recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0
subnet, add or correct the following line in /etc/sysconfig/network:
NOZEROCONF=yesCM-7Zeroconf addresses are in the network 169.254.0.0. The networking
scripts add entries to the system's routing table for these addresses. Zeroconf
address assignment commonly occurs when the system is configured to use DHCP
but fails to receive an address assignment from the DHCP server.
Ensure System is Not Acting as a Network SnifferThe system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISCCM-7MA-3If any results are returned, then a sniffing process (such as tcpdump
or Wireshark) is likely to be using the interface and this should be
investigated.
IPv6The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings.Disable Support for IPv6 Unless Needed
Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
Disable IPv6 Networking Support Automatic LoadingTo disable support for (ipv6) add the following line to
/etc/sysctl.d/ipv6.conf (or another file in
/etc/sysctl.d):
net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system
functionality require the IPv6 stack loaded to work.
CM-71551
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
If the system uses IPv6, this is not applicable.
If the system is configured to prevent the usage of the
ipv6 on network interfaces, it will contain a line
of the form:
net.ipv6.conf.all.disable_ipv6 = 1
Such lines may be inside any file in the /etc/sysctl.d directory.
This permits insertion of the IPv6 kernel module (which other parts of
the system expect to be present), but otherwise keeps all network interfaces
from using IPv6.
Run the following command to search for such
lines in all files in /etc/sysctl.d:
$ grep -r ipv6 /etc/sysctl.dDisable Interface Usage of IPv6To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network:
NETWORKING_IPV6=no
IPV6INIT=noDisable Support for RPC IPv6RPC services for NFSv4 try to load transport modules for
udp6 and tcp6 by default, even if IPv6 has been disabled in
/etc/modprobe.d. To prevent RPC services such as rpc.mountd
from attempting to start IPv6 network listeners, remove or comment out the
following two lines in /etc/netconfig:
udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -CM-7Configure IPv6 Settings if NecessaryA major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion.Disable Automatic ConfigurationDisable the system's acceptance of router
advertisements and redirects by adding or correcting the following
line in /etc/sysconfig/network (note that this does not disable
sending router solicitations):
IPV6_AUTOCONF=noIPV6_AUTOCONFToggle global IPv6 auto-configuration (only, if global
forwarding is disabled)noyesnonet.ipv6.conf.default.accept_raAccept default router advertisements?010net.ipv6.conf.default.accept_redirectsToggle ICMP Redirect Acceptance010Disable Accepting IPv6 Router Advertisements
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.default.accept_ra = 0CM-7
An illicit router advertisement message could result in a man-in-the-middle attack.
The status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_ra
The output of the command should indicate a value of 0.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
/etc/sysctl.conf.
Disable Accepting IPv6 Redirects
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter,
run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv6.conf.default.accept_redirects = 0CM-71551
An illicit ICMP redirect message could result in a man-in-the-middle attack.
The status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried
by running the following command:
$ sysctl net.ipv6.conf.default.accept_redirects
The output of the command should indicate a value of 0.
If this value is not the default value, investigate how it could have been
adjusted at runtime, and verify it is not set improperly in
/etc/sysctl.conf.
Manually Assign Global IPv6 AddressTo manually assign an IP address for an interface, edit the
file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the
following line (substituting the correct IPv6 address):
IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or
from the network otherwise. The example address here is an IPv6 address
reserved for documentation purposes, as defined by RFC3849.
366Use Privacy Extensions for AddressTo introduce randomness into the automatic generation of IPv6
addresses, add or correct the following line in
/etc/sysconfig/network-scripts/ifcfg-interface:
IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware
(e.g. Ethernet) address, and so it becomes possible to track a piece of
hardware over its lifetime using its traffic. If it is important for a system's
IP address to not trivially reveal its hardware address, this setting should be
applied.
366Manually Assign IPv6 Router AddressEdit the file
/etc/sysconfig/network-scripts/ifcfg-interface, and add or correct
the following line (substituting your gateway IP as appropriate):
IPV6_DEFAULTGW=2001:0DB8::0001
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.
366Limit Network-Transmitted Configuration if Using Static IPv6 AddressesTo limit the configuration information requested from other
systems and accepted from the network on a system that uses
statically-configured IPv6 addresses, add the following lines to
/etc/sysctl.conf:
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
The router_solicitations setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
The accept_ra_pinfo setting controls whether the system will accept
prefix info from the router.
The accept_ra_defrtr setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
The autoconf setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
The dad_transmits setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
The max_addresses setting determines how many global unicast IPv6
addresses can be assigned to each interface. The default is 16, but it should
be set to exactly the number of statically configured global addresses
required.
firewalldThe dynamic firewall daemon firewalld provides a
dynamically managed firewall with support for network “zones” to assign
a level of trust to a network and its associated connections and interfaces.
It has support for IPv4 and IPv6 firewall settings. It supports Ethernet
bridges and has a separation of runtime and permanent configuration options.
It also has an interface for services or applications to add firewall rules
directly.
A graphical configuration tool, firewall-config, is used to configure
firewalld, which in turn uses iptables tool to communicate
with Netfilter in the kernel which implements packet filtering.
The firewall service provided by firewalld is dynamic rather than
static because changes to the configuration can be made at anytime and are
immediately implemented. There is no need to save or apply the changes. No
unintended disruption of existing network connections occurs as no part of
the firewall has to be reloaded.
Inspect and Activate Default firewalld RulesFirewalls can be used to separate networks into different zones
based on the level of trust the user has decided to place on the devices and
traffic within that network. NetworkManager informs firewalld to which
zone an interface belongs. An interface's assigned zone can be changed by
NetworkManager or via the firewall-config tool.
The zone settings in /etc/firewalld/ are a range of preset settings
which can be quickly applied to a network interface. These are the zones
provided by firewalld sorted according to the default trust level of the
zones from untrusted to trusted:
dropAny incoming network packets are dropped, there is no
reply. Only outgoing network connections are possible.blockAny incoming network connections are rejected with an
icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited
for IPv6. Only network connections initiated from within the system are
possible.publicFor use in public areas. You do not trust the other
computers on the network to not harm your computer. Only selected incoming
connections are accepted.externalFor use on external networks with masquerading enabled
especially for routers. You do not trust the other computers on the network to
not harm your computer. Only selected incoming connections are accepted.dmzFor computers in your demilitarized zone that are
publicly-accessible with limited access to your internal network. Only selected
incoming connections are accepted.workFor use in work areas. You mostly trust the other computers
on networks to not harm your computer. Only selected incoming connections are
accepted.homeFor use in home areas. You mostly trust the other computers
on networks to not harm your computer. Only selected incoming connections are
accepted.internalFor use on internal networks. You mostly trust the
other computers on the networks to not harm your computer. Only selected
incoming connections are accepted.trustedAll network connections are accepted.
It is possible to designate one of these zones to be the default zone. When
interface connections are added to NetworkManager, they are assigned
to the default zone. On installation, the default zone in firewalld is set to
be the public zone.
To find out all the settings of a zone, for example the public zone,
enter the following command as root:
# firewall-cmd --zone=public --list-all
Example output of this command might look like the following:
# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To view the network zones currently active, enter the following command as root:
# firewall-cmd --get-service
The following listing displays the result of this command on common Fedora
Server system:
# firewall-cmd --get-service
amanda-client amanda-k5-client bacula bacula-client cockpit dhcp dhcpv6
dhcpv6-client dns dropbox-lansync freeipa-ldap freeipa-ldaps
freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec
iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh
mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
postgresql privoxy proxy-dhcp ptp puppetmaster radius rpc-bind rsyncd samba
samba-client sane smtp squid ssh synergy telnet tftp tftp-client tinc tor-socks
transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local
xmpp-server
Finally to view the network zones that will be active after the next firewalld
service reload, enter the following command as root:
# firewall-cmd --get-service --permanentVerify firewalld Enabled
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
The dynamic firewall daemon firewalld provides a dynamically managed
firewall with support for network “zones”, Ethernet bridges, and has a
separation of runtime and permanent configuration options. It has support for
both IPv4 and IPv6 firewall settings.
Run the following command to determine the current status of the
firewalld service:
$ sudo service firewalld status
If the service is enabled, it should return the following: firewalld is running...Strengthen the Default RulesetThe default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
in configuration files under the /etc/firewalld/services
and /etc/firewalld/zones directories.
The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to
the firewall-cmd program to load in rules under the /etc/firewalld/services
and /etc/firewalld/zones directories.
Instructions apply to both unless otherwise noted. Language and address
conventions for regular firewalld rules are used throughout this section.
The program firewall-config
allows additional services to penetrate the default firewall rules
and automatically adjusts the firewalld ruleset(s).Set Default firewalld Zone for Incoming PacketsTo set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=dropCM-766110911541414In firewalld the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to drop implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.
Inspect the file /etc/firewalld/firewalld.conf to determine
the default zone for the firewalld. It should be set to DefaultZone=drop:
$ sudo grep DefaultZone /etc/firewalld/firewalld.confUncommon Network ProtocolsThe system includes support for several network
protocols which are not commonly used. Although security vulnerabilities
in kernel networking code are not frequently
discovered, the consequences can be dramatic. Ensuring uncommon
network protocols are disabled reduces the system's risk to attacks
targeted at its implementation of those protocols.
Although these protocols are not commonly used, avoid disruption
in your network environment by ensuring they are not needed
prior to disabling them.
Disable DCCP Support
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install dccp /bin/true
Disabling DCCP protects
the system against exploitation of any flaws in its implementation.
CCE-26828-4
If the system is configured to prevent the loading of the
dccp kernel module,
it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf.
These lines instruct the module loading system to run another program (such as
/bin/true) upon a module install event.
Run the following command to search for such lines in all files in /etc/modprobe.d
and the deprecated /etc/modprobe.conf:
$ grep -r dccp /etc/modprobe.conf /etc/modprobe.dConfigure SyslogThe syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
In Fedora, rsyslog has replaced ksyslogd as the
syslog daemon of choice, and it includes some additional security features
such as reliable, connection-oriented (i.e. TCP) transmission of logs, the
option to log to database formats, and the encryption of log data en route to
a central logging server.
This section discusses how to configure rsyslog for
best effect, and how to use tools provided with the system to maintain and
monitor logs.Ensure rsyslog is Installed
Rsyslog is installed by default.
The rsyslog package can be installed with the following command:
$ sudo yum install rsyslogAU-9(2)13111312
The rsyslog package provides the rsyslog daemon, which provides
system logging services.
Run the following command to determine if the rsyslog package is installed:
$ sudo rpm -q rsyslogEnable rsyslog ServiceThe rsyslog service provides syslog-style logging by default on Fedora.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.serviceAU-12155713121311The rsyslog service must be running in order to provide
logging services, which are essential to system administration.
Run the following command to determine the current status of the
rsyslog service:
$ sudo service rsyslog status
If the service is enabled, it should return the following: rsyslog is running...Ensure Proper Configuration of Log Files
The file /etc/rsyslog.conf controls where log message are written.
These are controlled by lines called rules, which consist of a
selector and an action.
These rules are often customized depending on the role of the system, the
requirements of the environment, and whatever may enable
the administrator to most effectively make use of log data.
The default rules in Fedora are:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
See the man page rsyslog.conf(5) for more information.
Note that the rsyslog daemon can be configured to use a timestamp format that
some log processing programs may not understand. If this occurs,
edit the file /etc/rsyslog.conf and add or edit the following line:$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormatUser who owns log filesSpecify user owner of all logfiles specified in
/etc/rsyslog.conf.rootgroup who owns log filesSpecify group owner of all logfiles specified in
/etc/rsyslog.conf.rootEnsure Log Files Are Owned By Appropriate UserThe owner of all log files written by
rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
For each log file LOGFILE referenced in /etc/rsyslog.conf,
run the following command to inspect the file's owner:
$ ls -l LOGFILE
If the owner is not root, run the following command to
correct this:
$ sudo chown root LOGFILEAC-6SI-111314The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.
The owner of all log files written by rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
To see the owner of a given log file, run the following command:
$ ls -l LOGFILEEnsure Log Files Are Owned By Appropriate GroupThe group-owner of all log files written by
rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
For each log file LOGFILE referenced in /etc/rsyslog.conf,
run the following command to inspect the file's group owner:
$ ls -l LOGFILE
If the owner is not root, run the following command to
correct this:
$ sudo chgrp root LOGFILEAC-6SI-111314The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.
The group-owner of all log files written by rsyslog should be root.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
To see the group-owner of a given log file, run the following command:
$ ls -l LOGFILEEnsure System Log Files Have Correct PermissionsThe file permissions for all log files written by
rsyslog should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
For each log file LOGFILE referenced in /etc/rsyslog.conf,
run the following command to inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive,
run the following command to correct this:
$ sudo chmod 0600 LOGFILESI-111314Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value.
The file permissions for all log files written by rsyslog
should be set to 600, or more restrictive.
These log files are determined by the second part of each Rule line in
/etc/rsyslog.conf and typically all appear in /var/log.
To see the permissions of a given log file, run the following command:
$ ls -l LOGFILE
The permissions should be 600, or more restrictive.
Rsyslog Logs Sent To Remote Host
If system logs are to be useful in detecting malicious
activities, it is necessary to send logs to a remote server. An
intruder who has compromised the root account on a machine may
delete the log entries which indicate that the system was attacked
before they are seen by an administrator.
However, it is recommended that logs be stored on the local
host in addition to being sent to the loghost, especially if
rsyslog has been configured to use the UDP protocol to send
messages over a network. UDP does not guarantee reliable delivery,
and moderately busy sites will lose log messages occasionally,
especially in periods of high traffic which may be the result of an
attack. In addition, remote rsyslog messages are not
authenticated in any way by default, so it is easy for an attacker to
introduce spurious messages to the central log server. Also, some
problems cause loss of network connectivity, which will prevent the
sending of messages to the central server. For all of these reasons, it is
better to store log messages both centrally and on each host, so
that they can be correlated if necessary.Ensure Logs Sent To Remote Host
To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting loghost.example.com appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery:
*.* @loghost.example.com
To use TCP for log message delivery:
*.* @@loghost.example.com
To use RELP for log message delivery:
*.* :omrelp:loghost.example.comAU-3(2)AU-91348136A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.
To ensure logs are sent to a remote host, examine the file
/etc/rsyslog.conf.
If using UDP, a line similar to the following should be present:
*.* @loghost.example.com
If using TCP, a line similar to the following should be present:
*.* @@loghost.example.com
If using RELP, a line similar to the following should be present:
*.* :omrelp:loghost.example.comConfigure rsyslogd to Accept Remote Messages If Acting as a Log Server
By default, rsyslog does not listen over the network
for log messages. If needed, modules can be enabled to allow
the rsyslog daemon to receive messages from other systems and for the system
thus to act as a log server.
If the machine is not a log server, then lines concerning these modules
should remain commented out.
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log ServerThe rsyslog daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
not found in /etc/rsyslog.conf:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
$UDPServerRun port
$ModLoad imrelp
$InputRELPServerRun portAU-9(2)AC-4
Any process which receives messages from the network incurs some risk
of receiving malicious messages. This risk can be eliminated for
rsyslog by configuring it not to listen on the network.
Enable rsyslog to Accept Messages via TCP, if Acting As Log ServerThe rsyslog daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
/etc/rsyslog.conf to enable reception of messages over TCP:
$ModLoad imtcp
$InputTCPServerRun 514AU-9
If the system needs to act as a log server, this ensures that it can receive
messages over a reliable TCP connection.
Enable rsyslog to Accept Messages via UDP, if Acting As Log ServerThe rsyslog daemon should not accept remote messages
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
/etc/rsyslog.conf to enable reception of messages over UDP:
$ModLoad imudp
$UDPServerRun 514AU-9
Many devices, such as switches, routers, and other Unix-like systems, may only support
the traditional syslog transmission over UDP. If the system must act as a log server,
this enables it to receive their messages as well.
Ensure All Logs are Rotated by logrotateEdit the file /etc/logrotate.d/syslog. Find the first
line, which should look like this (wrapped for clarity):
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
/var/log/boot.log /var/log/cron {
Edit this line so that it contains a one-space-separated
listing of each log file referenced in /etc/rsyslog.conf.
All logs in use on a system must be rotated regularly, or the
log files will consume disk space over time, eventually interfering
with system operation. The file /etc/logrotate.d/syslog is the
configuration file used by the logrotate program to maintain all
log files written by syslog. By default, it rotates logs weekly and
stores four archival copies of each log. These settings can be
modified by editing /etc/logrotate.conf, but the defaults are
sufficient for purposes of this guide.
Note that logrotate is run nightly by the cron job
/etc/cron.daily/logrotate. If particularly active logs need to be
rotated more often than once a day, some other mechanism must be
used.Ensure Logrotate Runs PeriodicallyThe logrotate utility allows for the automatic rotation of
log files. The frequency of rotation is specified in /etc/logrotate.conf,
which triggers a cron task. To configure logrotate to run daily, add or correct
the following line in /etc/logrotate.conf:
# rotate log files frequency
dailyAU-9366Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full.
To determine the status and frequency of logrotate, run the following command:
$ sudo grep logrotate /var/log/cron*
If logrotate is configured properly, output should include references to
/etc/cron.daily.
Configure Logwatch on the Central Log Server
Is this machine the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below.
Configure Logwatch HostLimit Line On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate
on the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it
is running.
HostLimit = no Configure Logwatch SplitHosts Line
If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly
more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that
information is almost always necessary
SplitHosts = yes Disable Logwatch on Clients if a Logserver Exists
Does your site have a central logserver which has been configured to report on logs received from all systems?
If so:
$ sudo rm /etc/cron.daily/0logwatch
If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central
logserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier
and less time-intensive for administrators.System Accounting with auditdThe audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, auditd has modest disk space
requirements, and should not noticeably impact system performance.
NOTE: The Linux Audit daemon auditd can be configured to use the
auditctl utility to read audit rules from the /etc/audit/audit.rules
configuration file, and load them into the kernel during daemon startup
(default configuration). Alternatively, the auditd daemon can be
configured to use the augenrules program to read audit rules files
(*.rules) located in /etc/audit/rules.d location and compile
them to create the resulting form of the /etc/audit/audit.rules configuration
file during the daemon startup. The expected behavior is configured via the
appropriate ExecStartPost directive setting in the /usr/lib/systemd/system/auditd.service
configuration file. To instruct the auditd daemon to use the auditctl
utility to read audit rules (default configuration), use the following setting:
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
in the /usr/lib/systemd/system/auditd.service configuration file. In order
to instruct the auditd daemon to use the augenrules program
to read audit rules, use the following setting:
ExecStartPost=-/sbin/augenrules --load
in the /usr/lib/systemd/system/auditd.service configuration file. Refer to
[Service] section of the /usr/lib/systemd/system/auditd.service
configuration for further details.
Government networks often have substantial auditing
requirements and auditd can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.
The following example from Fedora Documentation available at
http://docs.fedoraproject.org/en-US/Fedora/22/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the /var/www/html/file1 file (labeled with
the samba_share_t type):
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
date command.
{ getattr }The item in braces indicates the permission that was denied. getattr
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include getattr,
read, and write.comm="httpd"The executable that launched the process. The full path of the executable is
found in the exe= section of the system call (SYSCALL) message,
which in this case, is exe="/usr/sbin/httpd".
path="/var/www/html/file1"The path to the object (target) the process attempted to access.
scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the httpd_t domain.
tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of file1. Note: the samba_share_t
type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest:
success=no: indicates whether the denial (AVC) was enforced or not.
success=no indicates the system call was not successful (SELinux denied
access). success=yes indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as initrc_t
and kernel_t.
exe="/usr/sbin/httpd": the full path to the executable that launched
the process, which in this case, is exe="/usr/sbin/httpd".
Enable Auditing for Processes Which Start Prior to the Audit DaemonTo ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system in
/etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rd.luks.uuid=luks-3431fd4f-80aa-436e-8acf-24f5bcb4e23a rhgb quiet audit=1"The GRUB 2 configuration file, grub.cfg,
is automatically updated each time a new kernel is installed. Note that any
changes to /etc/default/grub require rebuilding the grub.cfg
file. To update the GRUB 2 configuration file manually, use the
grub2-mkconfig -o command as follows:
On BIOS-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root:
~]# grub2-mkconfig -o /boot/efi/fedora/grub2/grub.cfgAC-17(1)AU-14(1)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-10IR-51464130
Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot.
Inspect the form of default GRUB 2 command line for the Linux operating system
in /etc/default/grub. If they include audit=1, then auditing
is enabled at boot time.
Configure auditd Data Retention
The audit system writes data to /var/log/audit/audit.log. By default,
auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of
data in total, and refuses to write entries when the disk is too
full. This minimizes the risk of audit data filling its partition
and impacting other services. This also minimizes the risk of the audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).
For a busy
system or a system which is thoroughly auditing system activity, the default settings
for data retention may be
insufficient. The log file size needed will depend heavily on what types
of events are being audited. First configure auditing to log all the events of
interest. Then monitor the log size manually for awhile to determine what file
size will allow you to keep the required data for the correct time period.
Using a dedicated partition for /var/log/audit prevents the
auditd logs from disrupting system functionality if they fill, and,
more importantly, prevents other activity in /var from filling the
partition and stopping the audit trail. (The audit logs are size-limited and
therefore unlikely to grow without bound unless configured to do so.) Some
machines may have requirements that no actions occur which cannot be audited.
If this is the case, then auditd can be configured to halt the machine
if it runs out of space. Note: Since older logs are rotated,
configuring auditd this way does not prevent older logs from being
rotated away before they can be viewed.
If your system is configured to halt when logging cannot be performed, make
sure this can never happen under normal circumstances! Ensure that
/var/log/audit is on its own partition, and that this partition is
larger than the maximum amount of data auditd will retain
normally.AU-11138Number of log files for auditd to retainThe setting for num_logs in /etc/audit/auditd.conf5543210Maximum audit log file size for auditdThe setting for max_log_size in /etc/audit/auditd.conf62010651Action for auditd to take when log files reach their maximum sizeThe setting for max_log_file_action in /etc/audit/auditd.confrotateignoresyslogsuspendrotatekeep_logsAction for auditd to take when disk space just starts to run lowThe setting for space_left_action in /etc/audit/auditd.confemailignoresyslogemailexecsuspendsinglehaltAction for auditd to take when disk space just starts to run lowThe setting for space_left_action in /etc/audit/auditd.confsingleignoresyslogemailexecsuspendsinglehaltAccount for auditd to send email when actions occursThe setting for action_mail_acct in /etc/audit/auditd.confrootrootadminAuditd priority for flushing data to diskThe setting for flush in /etc/audit/auditd.confdatanoneincrementaldatasyncConfigure auditd Number of Logs RetainedDetermine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf. Add or modify the following
line, substituting NUMLOGS with the correct value of :
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.AU-1(b)AU-11IR-5The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.
Inspect /etc/audit/auditd.conf and locate the following line to
determine how many logs the system is configured to retain after rotation:
$ sudo grep num_logs /etc/audit/auditd.confnum_logs = 5Configure auditd Max Log File SizeDetermine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line, substituting
the correct value of for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data.AU-1(b)AU-11IR-5The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained.
Inspect /etc/audit/auditd.conf and locate the following line to
determine how much data the system will retain in each audit log file:
$ sudo grep max_log_file /etc/audit/auditd.confmax_log_file = 6Configure auditd max_log_file_action Upon Reaching Maximum Log Size The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man
page. These include:
ignoresyslogsuspendrotatekeep_logs
Set the ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
AU-1(b)AU-4AU-11IR-5Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed.
Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured to rotate logs when they reach their
maximum size:
$ sudo grep max_log_file_action /etc/audit/auditd.confmax_log_file_action rotateConfigure auditd space_left Action on Low Disk SpaceThe auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page.
These include:
ignoresyslogemailexecsuspendsinglehalt
Set this to email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt.
AU-1(b)AU-4AU-5(b)IR-5140143Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.
Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured to email the administrator when
disk space is starting to run low:
$ sudo grep space_left_action /etc/audit/auditd.confspace_left_action
Acceptable values are email, suspend, single, and halt.
Configure auditd admin_space_left Action on Low Disk SpaceThe auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page.
AU-1(b)AU-4AU-5(b)IR-51401343Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur.
Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured to either suspend, switch to single user mode,
or halt when disk space has run low:
admin_space_left_action singleConfigure auditd mail_acct Action on Low Disk SpaceThe auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = AU-1(b)AU-4AU-5(a)IR-5139144Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action.
Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured to send email to an
account when it needs to notify an administrator:
action_mail_acct = rootConfigure auditd flush priorityThe auditd service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf to ensure that audit event data is
fully synchronized with the log files on the disk:
flush = AU-9AU-12(1)1576Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk.
Inspect /etc/audit/auditd.conf and locate the following line to
determine if the system is configured to synchronize audit event data
with the log files on the disk:
$ sudo grep flush /etc/audit/auditd.confflush = DATA
Acceptable values are DATA, and SYNC. The setting is
case-insensitive.
Configure auditd to use audispd's syslog pluginTo configure the auditd service to use the
syslog plug-in of the audispd audit event multiplexor, set
the active line in /etc/audisp/plugins.d/syslog.conf to
yes. Restart the auditd service:
$ sudo service auditd restartAU-1(b)AU-3(2)IR-5136The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog server
To verify the audispd's syslog plugin is active, run the following command:
$ sudo grep active /etc/audisp/plugins.d/syslog.conf
If the plugin is active, the output will show yes.
Configure auditd Rules for Comprehensive AuditingThe auditd program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list linux-audit@redhat.com exists
to facilitate community discussion of the auditing system.
The audit subsystem supports extensive collection of events, including:
Tracing of arbitrary system calls (identified by name or number)
on entry or exit.Filtering by PID, UID, call success, system call argument (with
some limitations), etc.Monitoring of specific files for modifications to the file's
contents or metadata.
Auditing rules at startup are controlled by the file /etc/audit/audit.rules.
Add rules to it to meet the auditing requirements for your organization.
Each line in /etc/audit/audit.rules represents a series of arguments
that can be passed to auditctl and can be individually tested
during runtime. See documentation in /usr/share/doc/audit-VERSION and
in the related man pages for more details.
If copying any example audit rulesets from /usr/share/doc/audit-VERSION,
be sure to comment out the
lines containing arch= which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
$ sudo service auditd restartRecords Events that Modify Date and Time InformationArbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time. All changes to the system
time should be audited.Record attempts to alter time through adjtimexIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rulesAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-51487169Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
To determine if the system is configured to audit calls to
the adjtimex
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep adjtimex
If the system is configured to audit this activity, it will return a line.
Record attempts to alter time through settimeofdayIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rulesAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-51487169Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
To determine if the system is configured to audit calls to
the settimeofday
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep settimeofday
If the system is configured to audit this activity, it will return a line.
Record Attempts to Alter Time Through stimeIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules file
for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -k audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
auditd daemon is configured to use the augenrules program to
read audit rules during daemon startup, add the following line to a file with
suffix .rules in the directory /etc/audit/rules.d for both
32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -k audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rulesAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-51487169Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
If the system is not configured to audit time changes, this is a finding.
If the system is 64-bit only, this is not applicable
To determine if the system is configured to audit calls to
the stime
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep stime
If the system is configured to audit this activity, it will return a line.
Record Attempts to Alter Time Through clock_settimeIf the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rulesAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-51487169Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*"
GROUP="clock_settime"
FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change"
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done
To determine if the system is configured to audit calls to
the clock_settime
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep clock_settime
If the system is configured to audit this activity, it will return a line.
Record Attempts to Alter the localtime FileIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the default),
add the following line to /etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(b)IR-51487169Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.
To determine if the system is configured to audit attempts to
alter time via the /etc/localtime file, run the following
command:
$ sudo auditctl -l | grep "watch=/etc/localtime"
If the system is configured to audit this activity, it will return a line.
Record Events that Modify User/Group InformationIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules file,
in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules in the directory /etc/audit/rules.d,
in order to capture events that modify account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modificationAC-2(4)AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5181403140414051684168316851686In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
To determine if the system is configured to audit account changes,
run the following command:
auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
If the system is configured to watch for account changes, lines should be returned for
each file specified (and with perm=wa for each).
Record Events that Modify the System's Network EnvironmentIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules file,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules in the directory /etc/audit/rules.d,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.
To determine if the system is configured to audit changes to its network configuration,
run the following command:
auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
If the system is configured to watch for network configuration changes, a line should be returned for
each file specified (and perm=wa should be indicated for each).
System Audit Logs Must Have Mode 0640 or Less Permissive
Change the mode of the audit log files with the following command:
$ sudo chmod 0640 audit_fileAC-6AU-1(b)AU-9IR-5
If users can write to audit logs, audit trails can be modified or destroyed.
Run the following command to check the mode of the system audit logs:
$ sudo ls -l /var/log/audit
Audit logs must be mode 0640 or less permissive.
System Audit Logs Must Be Owned By Root
To properly set the owner of /var/log, run the command:
$ sudo chown root /var/logAC-6AU-1(b)AU-9IR-5166Failure to give ownership of the audit log files to root allows the designated
owner, and unauthorized users, potential access to sensitive information.
To check the ownership of /var/log, run the command:
$ ls -lL /var/log
If properly configured, the output should indicate the following owner:
rootRecord Events that Modify the System's Mandatory Access ControlsIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policyAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited.
To determine if the system is configured to audit changes to its SELinux
configuration files, run the following command:
$ sudo auditctl -l | grep "dir=/etc/selinux"
If the system is configured to watch for changes to its SELinux
configuration, a line should be returned (including
perm=wa indicating permissions that are watched).
Record Events that Modify the System's Discretionary Access ControlsAt a minimum the audit system should collect file permission
changes for all users and root. Note that the "-F arch=b32" lines should be
present even on a 64 bit system. These commands identify system calls for
auditing. Even if the system is 64 bit it can still execute 32 bit system
calls. Additionally, these rules can be configured in a number of ways while
still achieving the desired effect. An example of this is that the "-S" calls
could be split up and placed on separate lines, however, this is less efficient.
Add the following to /etc/audit/audit.rules:
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If your system is 64 bit then these lines should be duplicated and the
arch=b32 replaced with arch=b64 as follows:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_modThe changing of file permissions could indicate that a user is
attempting to gain access to information that would otherwise be disallowed.
Auditing DAC modifications can facilitate the identification of patterns of
abuse among both authorized and unauthorized users.Record Events that Modify the System's Discretionary Access Controls - chmodAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the chmod
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep chmod
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - chownAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the chown
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep chown
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - fchmodAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the fchmod
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep fchmod
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - fchmodatAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the fchmodat
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep fchmodat
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - fchownAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the fchown
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep fchown
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - fchownatAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the fchownat
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep fchownat
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - fremovexattrAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the fremovexattr
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep fremovexattr
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - fsetxattrAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the fsetxattr
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep fsetxattr
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - lchownAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the lchown
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep lchown
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - lremovexattrAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the lremovexattr
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep lremovexattr
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - lsetxattrAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the lsetxattr
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep lsetxattr
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - removexattrAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the removexattr
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep removexattr
If the system is configured to audit this activity, it will return a line.
Record Events that Modify the System's Discretionary Access Controls - setxattrAt a minimum the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_modNote that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient.
AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.
To determine if the system is configured to audit calls to
the setxattr
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep setxattr
If the system is configured to audit this activity, it will return a line.
Record Attempts to Alter Logon and Logout EventsThe audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules file in
order to watch for attempted manual edits of files involved in storing logon
events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules in the directory /etc/audit/rules.d
in order to watch for attempted manual edits of files involved in storing logon
events:
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k loginsAC-17(7)AU-1(b)AU-12(a)AU-12(c)IR-5Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins"
fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins"
fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins"
fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins"
Record Attempts to Alter Process and Session Initiation InformationThe audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following lines to /etc/audit/audit.rules file in
order to watch for attempted manual edits of files involved in storing such
process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules in the directory /etc/audit/rules.d
in order to watch for attempted manual edits of files involved in storing such
process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k sessionAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the auditctl utility to read audit rules during daemon startup
(the default), add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following lines to a
file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k accessAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.
To verify that the audit system collects unauthorized file accesses, run the following commands:
$ sudo grep EACCES /etc/audit/audit.rules$ sudo grep EPERM /etc/audit/audit.rulesEnsure auditd Collects Information on the Use of Privileged CommandsAt a minimum the audit system should collect the execution of
privileged commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
PART:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup (the default), add a line of
the following form to /etc/audit/audit.rules for each setuid / setgid
program on the system, replacing the SETUID_PROG_PATH part with the full
path of that setuid / setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add a line of the following
form to a file with suffix .rules in the directory
/etc/audit/rules.d for each setuid / setgid program on the system,
replacing the SETUID_PROG_PATH part with the full path of that setuid /
setgid program in the list:
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privilegedAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-2(4)AU-12(a)AU-12(c)IR-540Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.
To verify that auditing of privileged command use is configured, run the
following command for each local partition PART to find relevant
setuid / setgid programs:
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs
found with the previous command:
$ sudo grep path /etc/audit/audit.rules
It should be the case that all relevant setuid / setgid programs have a line
in the audit rules.
Ensure auditd Collects Information on Exporting to Media (successful)At a minimum the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the auditctl utility to read audit rules during daemon startup
(the default), add the following line to /etc/audit/audit.rules file,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k exportAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss.
To verify that auditing is configured for all media exportation events, run the following command:
$ sudo auditctl -l | grep syscall | grep mountEnsure auditd Collects File Deletion Events by UserAt a minimum the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules file,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d,
setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k deleteAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.
To determine if the system is configured to audit calls to
the unlink
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep unlink
If the system is configured to audit this activity, it will return a line.
To determine if the system is configured to audit calls to
the unlinkat
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep unlinkat
If the system is configured to audit this activity, it will return a line.
To determine if the system is configured to audit calls to
the rename
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep rename
If the system is configured to audit this activity, it will return a line.
To determine if the system is configured to audit calls to
the renameat
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep renameat
If the system is configured to audit this activity, it will return a line.
Ensure auditd Collects System Administrator ActionsAt a minimum the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the default),
add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actionsAC-2(7)(b)AC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
To verify that auditing is configured for system administrator actions, run the following command:
$ sudo auditctl -l | grep "watch=/etc/sudoers"Ensure auditd Collects Information on Kernel Module Loading and UnloadingIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup (the default), add the following
lines to /etc/audit/audit.rules file in order to capture kernel module loading
and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
If the auditd daemon is configured to use the augenrules program to
read audit rules during daemon startup, add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for
your system:
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=ARCH -S init_module -S delete_module -k modulesAC-17(7)AU-1(b)AU-2(a)AU-2(c)AU-2(d)AU-12(a)AU-12(c)IR-5126The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.
To determine if the system is configured to audit calls to
the init_module
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep init_module
If the system is configured to audit this activity, it will return a line.
To determine if the system is configured to audit calls to
the delete_module
system call, run the following command:
$ sudo auditctl -l | grep syscall | grep delete_module
If the system is configured to audit this activity, it will return a line.
Make the auditd Configuration ImmutableIf the auditd daemon is configured to use the
auditctl utility to read audit rules during daemon startup (the
default), add the following line to /etc/audit/audit.rules file in
order to make the auditd configuration immutable:
-e 2
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup, add the following line to a
file with suffix .rules in the directory /etc/audit/rules.d in
order to make the auditd configuration immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
AC-6AU-1(b)AU-2(a)AU-2(c)AU-2(d)IR-5Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation
# Traverse all of:
#
# /etc/audit/audit.rules, (for auditctl case)
# /etc/audit/rules.d/*.rules (for augenrules case)
#
# files to check if '-e .*' setting is present in that '*.rules' file already.
# If found, delete such occurrence since auditctl(8) manual page instructs the
# '-e 2' rule should be placed as the last rule in the configuration
find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';'
# Append '-e 2' requirement at the end of both:
# * /etc/audit/audit.rules file (for auditctl case)
# * /etc/audit/rules.d/immutable.rules (for augenrules case)
for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules"
do
echo '' >> $AUDIT_FILE
echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE
echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE
echo '-e 2' >> $AUDIT_FILE
done
Services
The best protection against vulnerable software is running less software. This
section describes how to review the software which Fedora installs on a system
and disable software which is not needed. It then enumerates the software
packages installed on a default Fedora system and provides guidance about which
ones can be safely disabled.
Fedora provides a convenient minimal install option that essentially installs
the bare necessities for a functional system. When building Fedora servers, it
is highly recommended to select the minimal packages and then build up the
system from there.
Cron and At DaemonsThe cron and at services are used to allow commands to
be executed at a later time. The cron service is required by almost
all systems to perform necessary maintenance tasks, while at may or
may not be required on a given system. Both daemons should be
configured defensively.Enable cron ServiceThe crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.serviceCM-7Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential.
Run the following command to determine the current status of the
crond service:
$ sudo service crond status
If the service is enabled, it should return the following: crond is running...Disable anacron ServiceThe cronie-anacron package, which provides anacron
functionality, is installed by default.
The cronie-anacron package can be removed with the following command:
$ sudo yum erase cronie-anacronCM-7
The anacron service provides cron functionality for systems
such as laptops and workstations that may be shut down during the normal times
that cron jobs are scheduled to run. On systems which do not require this
additional functionality, anacron could needlessly increase the possible
attack surface for an intruder.
Run the following command to determine if the cronie-anacron package is installed:
$ sudo rpm -q cronie-anacronDisable At Service (atd)The at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch, and executes them at the specified time.
The atd service can be disabled with the following command:
$ sudo systemctl disable atd.serviceCM-7381
The atd service could be used by an unsophisticated insider to carry
out activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with at or
batch is not common.
To check that the atd service is disabled in system boot configuration, run the following command:
$ sudo chkconfig atd --list
Output should indicate the atd service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo chkconfig atd --list
atd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Run the following command to verify atd is disabled through current runtime configuration:
$ sudo service atd status
If the service is disabled the command will return the following output:
atd is stoppedRestrict at and cron to Authorized Users if Necessary
The /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed
to use cron and at to delay execution of processes. If these files exist and
if the corresponding files /etc/cron.deny and /etc/at.deny do not exist,
then only users listed in the relevant allow files can run the crontab and at
commands to submit jobs to be run at scheduled intervals.
On many systems, only the system administrator needs the ability to schedule
jobs. Note that even if a given user is not listed in cron.allow, cron jobs can
still be run as that user. The cron.allow file controls only administrative access
to the crontab command for scheduling and modifying cron jobs.
To restrict at and cron to only authorized users:
Remove the cron.deny file:$ sudo rm /etc/cron.denyEdit /etc/cron.allow, adding one line for each user allowed to use the crontab command to create cron jobs.Remove the at.deny file:$ sudo rm /etc/at.denyEdit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs.SSH ServerThe SSH protocol is recommended for remote login and remote file
transfer. SSH provides confidentiality and integrity for data exchanged between
two systems, as well as server authentication, through the use of public key
cryptography. The implementation included with the system is called OpenSSH,
and more detailed documentation is available from its website,
http://www.openssh.org. Its server program is called sshd and
provided by the RPM package openssh-server.SSH session Idle timeSpecify duration of allowed idle time.300300600900Configure OpenSSH Server if NecessaryIf the system needs to act as an SSH server, then certain changes
should be made to the OpenSSH daemon configuration file
/etc/ssh/sshd_config. The following recommendations can be applied
to this file. See the sshd_config(5) man page for more detailed
information.SSH Root Login DisabledThe root user should never be allowed to login to a system
directly over a network. To disable root login via SSH, add or correct the
following line in /etc/ssh/sshd_config:
PermitRootLogin noAC-6(2)IA-2(1)770
Permitting direct root login reduces auditable information about who ran
privileged commands on the system and also allows direct attack attempts on
root's password.
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitRootLogin directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
then
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitRootLogin directive
sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
# Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitRootLogin no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
fi
fi
SSH Access via Empty Passwords DisabledTo explicitly disallow remote login from accounts with empty
passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM
configuration should prevent users from being able to assign themselves empty
passwords.
765766
Configuring this setting for the SSH daemon provides additional assurance that
remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG
echo -e "\nPermitEmptyPasswords no" >> $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
then
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of PermitEmptyPasswords directive
sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
# Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'PermitEmptyPasswords no' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
fi
fi
SSH Idle Timeout Interval UsedSSH allows administrators to set an idle timeout interval.
After this interval has passed, the idle user will be automatically logged out.
To set an idle timeout interval, edit the /etc/ssh/sshd_config file,
locate the following line:
ClientAliveInterval INTERVAL
and correct it to have the form of:
ClientAliveInterval
The timeout INTERVAL is given in seconds. To have a timeout of 15
minutes, set INTERVAL to 900.
If a shorter timeout has already been set for the login shell, that value will
preempt any SSH setting made here. Keep in mind that some processes may stop
SSH from correctly detecting that the user is idle.
8791133
Causing idle users to be automatically logged out guards against compromises
one system leading trivially to compromises on another.
sshd_idle_timeout_value=""
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveInterval directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG
echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
then
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveInterval directive
sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
# Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
fi
fi
SSH Client Alive Count UsedTo ensure the SSH idle timeout occurs precisely when the
ClientAliveCountMax is set, edit /etc/ssh/sshd_config as
follows:
ClientAliveCountMax 08791133
This ensures a user login will be terminated as soon as the
ClientAliveCountMax is reached.
SSHD_CONFIG='/etc/ssh/sshd_config'
# Obtain line number of first uncommented case-insensitive occurrence of Match
# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
# Obtain line number of first uncommented case-insensitive occurence of
# ClientAliveCountMax directive (possibly prefixed with whitespace) present in
# $SSHD_CONFIG
FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG)
# Case: Match block directive not present in $SSHD_CONFIG
if [ -z "$FIRST_MATCH_BLOCK" ]
then
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG
echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG already
else
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
fi
# Case: Match block directive present in $SSHD_CONFIG
else
# Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
then
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# before first Match block directive
elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ]
then
# Replace first uncommented case-insensitive occurrence
# of ClientAliveCountMax directive
sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
# Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
# after first Match block directive
else
# Prepend 'ClientAliveCountMax 0' before first uncommented
# case-insensitive occurrence of Match block directive
sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
fi
fi
Network Time ProtocolThe Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of machines, and that their time is consistent with the
outside world.
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a
public timeserver (or one provided by your enterprise) provides globally
accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
A typical network setup involves a small number of internal systems operating as NTP
servers, and the remainder obtaining time information from those
internal servers.
More information on how to configure the NTP server software,
including configuration of cryptographic authentication for
time data, is available at http://www.ntp.org.
Enable the Chrony Daemon
The ntpd service can be enabled with the following command:
$ sudo systemctl enable ntpd.serviceAU-8(1)160Enabling the chronyd service ensures that the chronyd
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems. Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.
The chrony daemon offers all of the functionality of ntpdate, which is now
deprecated. Additional information on this is available at
http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. /usr/share/scap-security-guide/remediation_functions
service_command enable chronyd.service
Run the following command to determine the current status of the
ntpd service:
$ sudo service ntpd status
If the service is enabled, it should return the following: ntpd is running...Specify a Remote NTP ServerTo specify a remote NTP server for time synchronization, edit
the file /etc/chrony.conf. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for ntpserver:
server ntpserver
This instructs the NTP software to contact that remote server to obtain time
data.
AU-8(1)160Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
real time events.
To verify that a remote NTP service is configured for time synchronization,
open the following file:
/etc/chrony.conf
In the file, there should be a section similar to the following:
server ntpserverSpecify Additional Remote NTP ServersAdditional NTP servers can be specified for time synchronization
in the file /etc/chrony.conf. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
ntpserver:
server ntpserverAU-8(1)Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
Audit Deamon
The Linux Audit system provides a way to track security-relevant information on your system. Based on pre-configured rules, Audit generates log entries to record as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine the violator of the security policy and the actions they performed. Audit does not provide additional security to your system; rather, it can be used to discover violations of security policies used on your system. These violations can further be prevented by additional security measures such as SELinux.
Enable the Audit Daemon
The audit service can be enabled with the following command:
$ sudo systemctl enable audit.serviceAU-8(1)160Enabling the auditd service ensures that The Linux Audit system is capable
to watch the system and generate log entries.
Run the following command to determine the current status of the
audit service:
$ sudo service audit status
If the service is enabled, it should return the following: audit is running...FTP ServerFTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.Disable vsftpd if PossibleDisable vsftpd Service
The vsftpd service can be disabled with the following command:
$ sudo systemctl disable vsftpd.serviceCM-71436
Running FTP server software provides a network-based avenue
of attack, and should be disabled if not needed.
Furthermore, the FTP protocol is unencrypted and creates
a risk of compromising sensitive information.
To check that the vsftpd service is disabled in system boot configuration, run the following command:
$ sudo chkconfig vsftpd --list
Output should indicate the vsftpd service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo chkconfig vsftpd --list
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Run the following command to verify vsftpd is disabled through current runtime configuration:
$ sudo service vsftpd status
If the service is disabled the command will return the following output:
vsftpd is stoppedUninstall vsftpd Package
The vsftpd package can be removed with the following command:
$ sudo yum erase vsftpdCM-71436
Removing the vsftpd package decreases the risk of its
accidental activation.
Run the following command to determine if the vsftpd package is installed:
$ sudo rpm -q vsftpdUse vsftpd to Provide FTP Service if NecessaryInstall vsftpd PackageIf this machine must operate as an FTP server, install the vsftpd package via the standard channels.
# yum install vsftpdCM-7After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security
and for consistency with future Red Hat releases, the use of vsftpd is recommended.Use vsftpd to Provide FTP Service if NecessaryThe primary vsftpd configuration file is
/etc/vsftpd.conf, if that file exists, or
/etc/vsftpd/vsftpd.conf if it does not.
Enable Logging of All FTP TransactionsAdd or correct the following configuration options within the vsftpd
configuration file, located at /etc/vsftpd/vsftpd.conf:
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YESIf verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog will not also occur. However, the information about what files were downloaded is included in the information logged to vsftpd.logTo trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is /var/log/vsftpd.log.
Find if logging is applied to the FTP daemon.
Procedures:
If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file:
# grep vsftpd /etc/xinetd.d/*# grep server_args vsftpd xinetd.d startup file
This will indicate the vsftpd config file used when starting through xinetd.
If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.
# grep xferlog_enable vsftpd config fileCreate Warning Banners for All FTP UsersEdit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf
by default. Add or correct the following configuration options:
banner_file=/etc/issue48This setting will cause the system greeting banner to be used for FTP connections as well.
If FTP services are not installed, this is not applicable.
To verify this configuration, run the following command:
grep "banner_file" /etc/vsftpd/vsftpd.conf
The output should show the value of banner_file is set to /etc/issue, an example of which is shown below:
# grep "banner_file" /etc/vsftpd/vsftpd.conf
banner_file=/etc/issueRestrict the Set of Users Allowed to Access FTPThis section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
identified need for this access.Restrict Access to Anonymous Users if PossibleIs there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
these logins as much as possible.The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. Limit Users Allowed FTP Access if NecessaryIf there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
userlist_enable=YES
userlist_file=/etc/vsftp.ftpusers
userlist_deny=NO
Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well.
anonymous
ftpHistorically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.Disable FTP Uploads if PossibleIs there a mission-critical reason for users to upload files via FTP? If not,
edit the vsftpd configuration file to add or correct the following configuration options:
write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
as much as possible.Anonymous FTP can be a convenient way to make files available for universal download. However, it is less
common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it
is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
Place the FTP Home Directory on its Own PartitionBy default, the anonymous FTP root is the home directory of the FTP user account. The df command can
be used to verify that this directory is on its own partition.If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent
these users from filling a disk used by other services.Configure Firewalls to Protect the FTP ServerBy default, iptables
blocks access to the ports used by the web server.
To configure iptables to allow port
21 traffic one must edit
/etc/sysconfig/iptables and
/etc/sysconfig/ip6tables (if IPv6 is in use).
Add the following line, ensuring that it appears before the final LOG
and DROP lines for the INPUT chain:
-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains
the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"These settings configure iptables to allow connections to an FTP server. The first line allows initial connections
to the FTP server port.
FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by
iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
FTP server to operate on a machine which is running a firewall.SNMP ServerThe Simple Network Management Protocol allows
administrators to monitor the state of network devices, including
computers. Older versions of SNMP were well-known for weak
security, such as plaintext transmission of the community string
(used for authentication) and usage of easily-guessable
choices for the community string.Disable SNMP Server if PossibleThe system includes an SNMP daemon that allows for its remote
monitoring, though it not installed by default. If it was installed and
activated but is not needed, the software should be disabled and removed.
Disable snmpd Service
The snmpd service can be disabled with the following command:
$ sudo systemctl disable snmpd.service
Running SNMP software provides a network-based avenue of attack, and
should be disabled if not needed.
To check that the snmpd service is disabled in system boot configuration, run the following command:
$ sudo chkconfig snmpd --list
Output should indicate the snmpd service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo chkconfig snmpd --list
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Run the following command to verify snmpd is disabled through current runtime configuration:
$ sudo service snmpd status
If the service is disabled the command will return the following output:
snmpd is stoppedUninstall net-snmp PackageThe net-snmp package provides the snmpd service.
The net-snmp package can be removed with the following command:
$ sudo yum erase net-snmp
If there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation.
# CAUTION: This remediation script will remove net-snmp
# from the system, and may remove any packages
# that depend on net-snmp. Execute this
# remediation AFTER testing on a non-production
# system!
yum -y erase net-snmp
Run the following command to determine if the net-snmp package is installed:
$ sudo rpm -q net-snmpConfigure SNMP Server if NecessaryIf it is necessary to run the snmpd agent on the system, some best
practices should be followed to minimize the security risk from the
installation. The multiple security models implemented by SNMP cannot be fully
covered here so only the following general configuration advice can be offered:
use only SNMP version 3 security models and enable the use of authentication and encryptionwrite access to the MIB (Management Information Base) should be allowed only if necessaryall access to the MIB should be restricted following a principle of least privilegenetwork access should be limited to the maximum extent possible including restricting to expected network
addresses both in the configuration files and in the system firewall rulesensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
stationsensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictiveensure that any MIB files' permissions are also 640 or more restrictiveConfigure SNMP Service to Use Only SNMPv3 or Newer
Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec.
Upon doing that, restart the SNMP service:
# service snmpd restart
Earlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.
To ensure only SNMPv3 or newer is used, run the following command:
# grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"
There should be no output.
Ensure Default Password Is Not Used
Edit /etc/snmp/snmpd.conf, remove default community string public.
Upon doing that, restart the SNMP service:
# service snmpd restart
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
To ensure the default password is not set, run the following command:
# grep -v "^#" /etc/snmp/snmpd.conf| grep public
There should be no output.
NFS and RPCThe Network File System is a popular distributed filesystem for
the Unix environment, and is very widely deployed. This section discusses the
circumstances under which it is possible to disable NFS and its dependencies,
and then details steps which should be taken to secure
NFS's configuration. This section is relevant to machines operating as NFS
clients, as well as to those operating as NFS servers.
Disable All NFS Services if PossibleIf there is not a reason for the system to operate as either an
NFS client or an NFS server, follow all instructions in this section to disable
subsystems required by NFS.
The steps in this section will prevent a machine
from operating as either an NFS client or an NFS server. Only perform these
steps on machines which do not need NFS at all.Disable Services Used Only by NFSIf NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.Disable Network File System Lock Service (nfslock)The Network File System Lock (nfslock) service starts the required
remote procedure call (RPC) processes which allow clients to lock files on the
server. If the local machine is not configured to mount NFS filesystems then
this service should be disabled.
The nfslock service can be disabled with the following command:
$ sudo systemctl disable nfslock.serviceDisable Secure RPC Client Service (rpcgssd)
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
that use RPC (most often Kerberos and NFS). The rpcgssd service is the
client-side of RPCSEC GSS. If the system does not require secure RPC then this
service should be disabled.
The rpcgssd service can be disabled with the following command:
$ sudo systemctl disable rpcgssd.serviceDisable RPC ID Mapping Service (rpcidmapd)The rpcidmapd service is used to map user names and groups to UID
and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
this service should be disabled.
The rpcidmapd service can be disabled with the following command:
$ sudo systemctl disable rpcidmapd.serviceDisable netfs if PossibleTo determine if any network filesystems handled by netfs are
currently mounted on the system execute the following command:
# mount -t nfs,nfs4,smbfs,cifs,ncpfs
If the command did not return any output then disable netfs.
Disable Network File Systems (netfs)The netfs script manages the boot-time mounting of several types
of networked filesystems, of which NFS and Samba are the most common. If these
filesystem types are not in use, the script can be disabled, protecting the
system somewhat against accidental or malicious changes to /etc/fstab
and against flaws in the netfs script itself.
The netfs service can be disabled with the following command:
$ sudo systemctl disable netfs.serviceConfigure All Machines which Use NFSThe steps in this section are appropriate for all machines which
run NFS, whether they operate as clients or as servers.Make Each Machine a Client or a Server, not BothIf NFS must be used, it should be deployed in the simplest
configuration possible to avoid maintainability problems which may lead to
unnecessary security exposure. Due to the reliability and security problems
caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines
which act as NFS servers to also mount filesystems via NFS. At the least,
crossed mounts (the situation in which each of two servers mounts a filesystem
from the other) should never be used.
Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)Firewalling should be done at each host and at the border
firewalls to protect the NFS daemons from remote access, since NFS servers
should never be accessible from outside the organization. However, by default
for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
dynamically at service startup time. Dynamic ports cannot be protected by port
filtering firewalls such as iptables.
Therefore, restrict each service to always use a given port, so that
firewalling can be done effectively. Note that, because of the way RPC is
implemented, it is not possible to disable the RPC Bind service even if ports
are assigned statically to all RPC services.
In NFSv4, the mounting and locking protocols have been incorporated into the
protocol, and the server listens on the the well-known TCP port 2049. As such,
NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd
daemons, which can and should be disabled in a pure NFSv4 environment. The
rpc.mountd daemon is still required on the NFS server to setup
exports, but is not involved in any over-the-wire operations.
Configure lockd to use static TCP portConfigure the lockd daemon to use a static TCP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
LOCKD_TCPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on
your network.
Restrict service to always use a given port, so that firewalling can be done
effectively.
Configure lockd to use static UDP portConfigure the lockd daemon to use a static UDP port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
LOCKD_UDPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on
your network.
Restricting services to always use a given port enables firewalling
to be done more effectively.
Configure statd to use static portConfigure the statd daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
STATD_PORT=statd-port
Where statd-port is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling
to be done more effectively.
Configure mountd to use static portConfigure the mountd daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file /etc/sysconfig/nfs. Add or correct the following line:
MOUNTD_PORT=statd-port
Where mountd-port is a port which is not used by any other service on your network.
Restricting services to always use a given port enables firewalling
to be done more effectively.
Configure NFS ClientsThe steps in this section are appropriate for machines which operate as NFS clients.Disable NFS Server Daemons
There is no need to run the NFS server daemons nfs and
rpcsvcgssd except on a small number of properly secured machines
designated as NFS servers. Ensure that these daemons are turned off on
clients.Specify UID and GID for Anonymous NFS ConnectionsTo specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export:
anonuid=-1
anongid=-1
Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system.Disable Network File System (nfs)The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local machine. If the local machine
is not designated as a NFS server then this service should be disabled.
The nfs service can be disabled with the following command:
$ sudo systemctl disable nfs.serviceUnnecessary services should be disabled to decrease the attack surface of the system.
It is prudent to ensure the nfs service is disabled in system boot, as well as
not currently running. First, run the following to verify the service is stopped:
$ service nfs status
If the service is stopped or disabled, it will return the following:
rpc.svcgssd is stopped
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
To verify that the nfs service is disabled, run the following command:
$ chkconfig --list nfs
If properly configured, the output should look like:
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:offDisable Secure RPC Server Service (rpcsvcgssd)The rpcsvcgssd service manages RPCSEC GSS contexts required to
secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
service is the server-side of RPCSEC GSS. If the system does not require secure
RPC then this service should be disabled.
The rpcsvcgssd service can be disabled with the following command:
$ sudo systemctl disable rpcsvcgssd.serviceUnnecessary services should be disabled to decrease the attack surface of the system.
To check that the rpcsvcgssd service is disabled in system boot configuration, run the following command:
$ sudo chkconfig rpcsvcgssd --list
Output should indicate the rpcsvcgssd service has either not been installed,
or has been disabled at all runlevels, as shown in the example below:
$ sudo chkconfig rpcsvcgssd --list
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Run the following command to verify rpcsvcgssd is disabled through current runtime configuration:
$ sudo service rpcsvcgssd status
If the service is disabled the command will return the following output:
rpcsvcgssd is stoppedMount Remote Filesystems with Restrictive OptionsEdit the file /etc/fstab. For each filesystem whose type
(column 3) is nfs or nfs4, add the text
,nodev,nosuid to the list of mount options in column 4. If
appropriate, also add ,noexec.
See the section titled "Restrict Partition Mount Options" for a description of
the effects of these options. In general, execution of files mounted via NFS
should be considered risky because of the possibility that an adversary could
intercept the request and substitute a malicious file. Allowing setuid files to
be executed from remote servers is particularly risky, both for this reason and
because it requires the clients to extend root-level trust to the NFS
server.Mount Remote Filesystems with nodev
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any NFS mounts.
Legitimate device files should only exist in the /dev directory. NFS mounts
should not present device files to users.
To verify the nodev option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the nodev setting in parentheses. This is not applicable if NFS is
not implemented.
Mount Remote Filesystems with nosuid
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any NFS mounts.
NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.
To verify the nosuid option is configured for all NFS mounts, run the following command:
$ mount | grep nfs
All NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is
not implemented.
Configure NFS ServersThe steps in this section are appropriate for machines which operate as NFS servers.Configure the Exports File RestrictivelyLinux's NFS implementation uses the file /etc/exports to control what filesystems
and directories may be accessed via NFS. (See the exports(5) manpage for more information about the
format of this file.)
The syntax of the exports file is not necessarily checked fully on reload, and syntax errors
can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
the file.
The syntax of each line in /etc/exports is:
/DIR host1(opt1,opt2) host2(opt3)
where /DIR is a directory or filesystem to export, hostN is an IP address, netblock,
hostname, domain, or netgroup to which to export, and optN is an option.
Use Access Lists to Enforce Authorization RestrictionsWhen configuring NFS exports, ensure that each export line in /etc/exports contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
Authorized hosts can be specified in several different formats:
Name or alias that is recognized by the resolverFully qualified domain nameIP addressIP subnets in the format address/netmask or address/CIDRExport Filesystems Read-Only if PossibleIf a filesystem is being exported so that users can view the files in a convenient
fashion, but there is no need for users to edit those files, exporting the filesystem read-only
removes an attack vector against the server. The default filesystem export mode is ro,
so do not specify rw without a good reason.
Use Root-Squashing on All ExportsIf a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
Ensure that no line in /etc/exports contains the option no_root_squash.
If the NFS server allows root access to local file systems from remote hosts, this
access could be used to compromise the system.
Restrict NFS Clients to Privileged PortsBy default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not be changed.
To ensure that the default has not been changed, ensure no line in
/etc/exports contains the option insecure.
Allowing client requests to be made from ports higher than 1024 could allow a unprivileged
user to initiate an NFS connection. If the unprivileged user account has been compromised, an
attacker could gain access to data on the NFS server.Ensure Insecure File Locking is Not AllowedBy default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
insecure_locks option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the
insecure_locks option from the file /etc/exports.
764Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.
To verify insecure file locking has been disabled, run the following command:
# grep insecure_locks /etc/exports
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/integration/������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�016736� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/integration/make_check��������������������������������������������������0000755�0001751�0000033�00000002656�13163222324�020747� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# Copyright 2016 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
echo "Running integration tests..."
echo
# parent dir of this script
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
pushd $PARENT_DIR > /dev/null
BIN="$PARENT_DIR/../../bin"
export BIN
DATA_DIR_TEMPLATE="$PARENT_DIR/../../tests/data_dir_template"
export DATA_DIR_TEMPLATE
RUNWRAPPER_NO_FORK=1 source ../../runwrapper.sh
EXIT_CODE=0
for file in test_*.sh
do
printf "%-60s %s ... " "$file"
output=`./$file 2>&1`
if [ "$?" == "0" ]; then
echo "[ pass ]"
else
echo "[ FAIL ]"
echo
echo "$output"
echo
EXIT_CODE=1
fi
done
popd > /dev/null
exit $EXIT_CODE
����������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/integration/test_oscapd_cli_standalone.sh�������������������������������0000755�0001751�0000033�00000000431�13163222324�024642� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# calls in this test should not require oscapd to be running
$PYTHON $BIN/oscapd-cli
[ $? -eq 2 ] || exit 1
$PYTHON $BIN/oscapd-cli --version || exit 1
$PYTHON $BIN/oscapd-cli -v || exit 1
$PYTHON $BIN/oscapd-cli --help || exit 1
$PYTHON $BIN/oscapd-cli -h || exit 1
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/integration/test_task_management.sh�������������������������������������0000755�0001751�0000033�00000000567�13163222324�023502� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
set -e
# TODO: Disable this test for now, it fails on Jenkins because Xorg is not there
exit 0
TMPDIR=$(mktemp -d)
cp -r "$DATA_DIR_TEMPLATE" "$TMPDIR"
export OSCAPD_CONFIG_FILE="$TMPDIR/data_dir_template/config.ini"
export OSCAPD_SESSION_BUS="1"
$PYTHON $BIN/oscapd &
OSCAPD_PID=$!
sleep 2
$PYTHON $BIN/oscapd-cli task
kill $OSCAPD_PID
rm -rf "$TMPDIR"
�����������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/tests/integration/test_oscapd_evaluate_standalone.sh��������������������������0000755�0001751�0000033�00000001056�13163222324�025705� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# calls in this test should not require oscapd to be running
$PYTHON $BIN/oscapd-evaluate --help || exit 1
$PYTHON $BIN/oscapd-evaluate --h || exit 1
$PYTHON $BIN/oscapd-evaluate -v || exit 1
$PYTHON $BIN/oscapd-evaluate config || exit 1
$PYTHON $BIN/oscapd-evaluate --verbose config || exit 1
$PYTHON $BIN/oscapd-evaluate spec --input ../testing_data/ssg-fedora-ds.xml --print-xml || exit 1
$PYTHON $BIN/oscapd-evaluate spec --input ../testing_data/ssg-fedora-ds.xml --profile xccdf_org.ssgproject.content_profile_common --print-xml || exit 1
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/DESIGN_NOTES.md���������������������������������������������������������������0000644�0001751�0000033�00000003527�13163222324�015523� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Design Notes
## Puzzle Pieces
### Task
* target
* host
* VM $URL
* container / image $ID
* input content
* tailoring
* profile id, datastream id, ...
* HTML guide can be always generated
### Task Result
* ARF always
* HTML report can be always generated
## CLI use-cases
```
$ oscapd-cli task list
Active tasks:
ID | Title | Next run | Repeats |
-------------------------------------------------------------------------
2 | Weekly USGCB evaluation | 2015-04-10 01:00 (in 8 hours) | @weekly |
3 | Daily STIG evaluation | 2015-03-09 23:00 (in 6 hours) | @daily |
4 | One-off evaluation | 2015-03-09 23:30 (in 6 hours) | - |
Inactive tasks:
ID | Title
------------------------------------------------------------------------
1 | Testing evaluation
```
```
$ oscapd-cli task 2
ID: 2
Title: Weekly USGCB evaluation
Target: localhost
Input file: /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
Tailoring: N/A
Profile ID: xccdf_org.ssgproject.content_profile_usgcb-rhel6-server
Next run: 2015-04-10 01:00 (in 8 hours)
Repeats: @weekly = 168 hours
Time slip: no_slip
ARF upload: disabled
One-off: false
Results:
ID | Timestamp
----------------------
23 | 2015-04-03 01:13
14 | 2015-03-27 01:11
11 | 2015-03-20 01:15
````
```
$ oscapd-cli result 23
ID: 23
Task ID: 2
Timestamp: 2015-04-03
ARF path: /var/lib/oscapd-cli/results/23/results-arf.xml
```
```
$ oscapd-cli result 23 report > report.html
```
```
$ oscapd-cli result 23 arf > arf.xml
```
```
# generate report of last result from task 2
$ oscapd-cli result 2/last report
```
```
$ oscapd-cli task 2 disable
$ oscapd-cli task 2 enable
```
```
# manually update oscapd-cli, for debugging purposes
$ oscapd-cli update
Found 4 tasks in total, 3 enabled tasks.
````
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/oscapd.service����������������������������������������������������������������0000644�0001751�0000033�00000000315�13163222324�016103� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������[Unit]
Description=OpenSCAP Daemon
Documentation=http://open-scap.org/tools/openscap-daemon
[Service]
Type=dbus
BusName=org.OpenSCAP.daemon
ExecStart=/usr/bin/oscapd
[Install]
WantedBy=multi-user.target
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/org.oscapd.conf���������������������������������������������������������������0000644�0001751�0000033�00000001103�13163222324�016152� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/setup.py����������������������������������������������������������������������0000755�0001751�0000033�00000004170�13163222324�014770� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import os
import os.path
from openscap_daemon import version
from distutils.core import setup
def get_packages():
# Distutils requires us to list all packages, this is very tedious and prone
# to errors. This method crawls the hierarchy and gathers all packages.
ret = ["openscap_daemon"]
for dirpath, _, files in os.walk("openscap_daemon"):
if "__init__.py" in files:
ret.append(dirpath.replace(os.path.sep, "."))
return ret
setup(
name="openscap_daemon",
version=version.VERSION_STRING,
author="Martin Preisler, Brent Baude and others",
author_email="mpreisle@redhat.com",
description="...",
license="LGPL2.1+",
url="http://www.open-scap.org/",
packages=get_packages(),
scripts=[
os.path.join("bin", "oscapd"),
os.path.join("bin", "oscapd-cli"),
os.path.join("bin", "oscapd-evaluate")
],
data_files=[
(os.path.join("/", "etc", "dbus-1", "system.d"),
["org.oscapd.conf"]),
(os.path.join("/", "usr", "lib", "systemd", "system"),
["oscapd.service"]),
(os.path.join("/", "usr", "share", "doc", "openscap-daemon"),
["README.md", "LICENSE"]),
(os.path.join("/", "usr", "share", "man", "man8"),
["man/oscapd.8", "man/oscapd-cli.8", "man/oscapd-evaluate.8"]),
],
)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/container/��������������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�015233� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/container/config.ini����������������������������������������������������������0000644�0001751�0000033�00000001126�13163222324�017201� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������[General]
tasks-dir = /var/lib/oscapd/tasks
results-dir = /var/lib/oscapd/results
work-in-progress-dir = /var/lib/oscapd/work_in_progress
cve-feeds-dir = /var/lib/oscapd/cve_feeds
jobs = 4
[Tools]
oscap = /usr/bin/oscap
oscap-ssh = /usr/bin/oscap-ssh
oscap-vm = /usr/bin/oscap-vm
oscap-docker = /usr/bin/oscap-docker
oscap-chroot = /usr/bin/oscap-chroot
container-support = yes
[Content]
cpe-oval = /usr/share/openscap/cpe/openscap-cpe-oval.xml
ssg = /usr/share/xml/scap/ssg/content
[CVEScanner]
fetch-cve = no
fetch-cve-url = https://www.redhat.com/security/data/oval/
fetch-cve-timeout = 600
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/container/install.sh����������������������������������������������������������0000755�0001751�0000033�00000002537�13163222324�017247� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
ETC='/etc/oscapd'
ETC_FILE='config.ini'
HOST='/host'
echo ""
echo "Installing the configuration file 'openscap' into /etc/atomic.d/. You can now use this scanner with atomic scan with the --scanner openscap command-line option. You can also set 'openscap' as the default scanner in /etc/atomic.conf. To list the scanners you have configured for your system, use 'atomic scan --list'."
echo ""
cp /root/openscap /host/etc/atomic.d/
SCRIPTS="/etc/atomic.d/scripts/"
echo ""
echo "Copying the remediation script 'remediate.py' into $SCRIPTS. You can now remediate images with atomic scan using --remediate command-line option."
echo ""
if [[ ! -d $HOST/$SCRIPTS ]]; then
mkdir -p $HOST/$SCRIPTS
fi
cp /root/remediate.py $HOST/$SCRIPTS
# Check if /etc/oscapd exists on the host
if [[ ! -d ${HOST}/${ETC} ]]; then
mkdir ${HOST}/${ETC}
fi
DATE=$(date +'%Y-%m-%d-%T')
# Check if /etc/oscapd/config.ini exists
if [[ -f ${HOST}/${ETC}/${ETC_FILE} ]]; then
SAVE_NAME=${ETC_FILE}.${DATE}.atomic_save
echo "Saving current ${ETC_FILE} as ${SAVE_NAME}"
mv ${HOST}/${ETC}/${ETC_FILE} ${HOST}/${ETC}/${SAVE_NAME}
fi
# Add config.ini to the host filesystem
echo "Updating ${ETC_FILE} with latest configuration"
cp /root/config.ini ${HOST}/${ETC}/
# Exit Message
echo "Installation complete. You can customize ${ETC}/${ETC_FILE} as needed."
echo ""
�����������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/container/openscap������������������������������������������������������������0000644�0001751�0000033�00000002361�13163222324�016770� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������type: scanner
scanner_name: openscap
image_name: openscap
default_scan: cve
custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']
remediation_script: '/etc/atomic.d/scripts/remediate.py'
scans: [
{ name: cve,
args: ['oscapd-evaluate', 'scan', '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '-j1'],
description: "Performs a CVE scan based on Red Hat relesead CVE OVAL. !WARNING! This CVE is built into container image and it might be out-of-date. Change config.ini to configure the scanner to fetch latest CVE data"},
{ name: standards_compliance,
args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '-j1'],
description: "!DEPRECATED! Performs scan with Standard Profile, as present in SCAP Security Guide shipped in Red Hat Enterprise Linux"
},
{ name: configuration_compliance,
args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin', '--output', '/scanout', '--no-cve-scan', '--fix_type', 'bash', '-j1'],
description: "Performs a configuration compliance scan according to selected profile from SCAP Security Guide shipped in Red Hat Enterprise Linux."
}
]
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/container/run.sh��������������������������������������������������������������0000755�0001751�0000033�00000000647�13163222324�016405� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
echo ""
if [ ! -e /host/etc/atomic.d/openscap ]; then
echo "No 'openscap' file found in /etc/atomic.d. This image requires you install it with 'atomic install rhel7/openscap'"
else
echo "This container/image is not meant to be run outside of the atomic command. You can use this image by issuing 'atomic scan to scan'. See 'atomic scan --help' for more information."
fi
echo ""
�����������������������������������������������������������������������������������������openscap-daemon-0.1.8/container/remediate.py��������������������������������������������������������0000755�0001751�0000033�00000007042�13163222324�017552� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python
# Copyright 2017 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Jan Cerny
import argparse
import docker
import os
import shutil
import sys
import tempfile
import json
import requests
def remediate(target_id, results_dir):
# Class docker.Client was renamed to docker.APIClient in
# python-docker-py 2.0.0.
try:
client = docker.APIClient()
except AttributeError:
client = docker.Client()
try:
client.ping()
except requests.exceptions.ConnectionError as e:
raise RuntimeError(
"The Docker daemon does not appear to be running: {}.\n"
.format(e)
)
print("Remediating target {}.".format(target_id))
temp_dir = tempfile.mkdtemp()
fix_script = os.path.join(results_dir, target_id, "fix.sh")
try:
shutil.copy(fix_script, temp_dir)
except IOError as e:
raise RuntimeError(
"Can't find a remediation for given image: {}.\n"
.format(e)
)
try:
dockerfile_path = os.path.join(temp_dir, "Dockerfile")
with open(dockerfile_path, "w") as f:
f.write("FROM " + target_id + "\n")
f.write("COPY fix.sh /\n")
f.write("RUN chmod +x /fix.sh; /fix.sh\n")
try:
build_output_generator = client.build(
path=temp_dir,
# don't use image cache to ensure that original image
# is always remediated
nocache=True
)
except docker.errors.APIError as e:
raise RuntimeError("Docker exception: {}\n".format(e))
build_output = []
for item in build_output_generator:
item_dict = json.loads(item.decode("utf-8"))
if "error" in item_dict:
raise RuntimeError(
"Error during Docker build {}\n".format(item_dict["error"])
)
sys.stdout.write(item_dict["stream"])
build_output.append(item_dict["stream"])
image_id = build_output[-1].split()[-1]
print(
"Successfully built remediated image {} from {}.\n"
.format(image_id, target_id)
)
except RuntimeError as e:
raise RuntimeError(
"Cannot build remediated image from {}: {}\n"
.format(target_id, e)
)
finally:
shutil.rmtree(temp_dir)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Remediates container images.')
parser.add_argument("--id", required=True,
help="Image ID")
parser.add_argument("--results_dir", required=True,
help="Directory containing the fix.")
args = parser.parse_args()
try:
remediate(args.id, args.results_dir)
except RuntimeError as e:
sys.stderr.write(str(e))
sys.exit(1)
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/generate-dockerfile.py��������������������������������������������������������0000755�0001751�0000033�00000020466�13163222324�017535� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/python
import argparse
labels = [
("com.redhat.component", "openscap-docker"),
("name", "openscap"),
("version", "testing"),
("architecture", "x86_64"),
("summary", "OpenSCAP container image that provides security/compliance scanning capabilities for 'atomic scan'"),
("description", "OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists."),
("io.k8s.display-name", "OpenSCAP"),
("io.k8s.description", "OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists."),
("io.openshift.tags", "security openscap scan"),
("install", "docker run --rm --privileged -v /:/host/ IMAGE sh /root/install.sh"),
("run", "docker run -it --rm -v /:/host/ IMAGE sh /root/run.sh")
]
packages = [
"bzip2",
"wget"
]
files = [
("container/install.sh", "/root"),
("container/run.sh", "/root"),
("container/openscap", "/root"),
("container/config.ini", "/root"),
("container/remediate.py", "/root")
]
env_variables = [
("container", "docker")
]
install_commands = {
"fedora": "dnf",
"rhel": "yum"
}
builddep_packages = {
"fedora" : "'dnf-command(builddep)'",
"rhel" : "yum-utils"
}
builddep_commands = {
"fedora": "dnf -y builddep",
"rhel": "yum-builddep -y"
}
download_cve_feeds_command = [
"wget --no-verbose -P /var/lib/oscapd/cve_feeds/ "
"https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL{5,6,7}.xml.bz2",
"bzip2 -dk /var/lib/oscapd/cve_feeds/com.redhat.rhsa-RHEL{5,6,7}.xml.bz2",
"ln -s /var/lib/oscapd/cve_feeds/ /var/tmp/image-scanner"
]
openscap_build_command = [
"git clone -b maint-1.2 https://github.com/OpenSCAP/openscap.git",
"pushd /openscap",
"./autogen.sh",
"./configure --enable-sce --prefix=/usr",
"make -j 4 install",
"popd"
]
ssg_build_command = [
"git clone https://github.com/OpenSCAP/scap-security-guide.git",
"pushd /scap-security-guide/build",
"cmake -DCMAKE_INSTALL_DATADIR=/usr/share ..",
"make -j 4 install",
"popd"
]
daemon_local_build_command = [
"pushd /openscap-daemon",
"python setup.py install",
"popd"
]
delim = " && \\\n "
def main():
parser = argparse.ArgumentParser(description="Builds an image with OpenSCAP Daemon")
openscap_group = parser.add_mutually_exclusive_group(required=False)
ssg_group = parser.add_mutually_exclusive_group(required=False)
daemon_group = parser.add_mutually_exclusive_group(required=False)
parser.add_argument("--base", type=str, default="fedora",
help="Base image name (default is fedora)")
openscap_group.add_argument("--openscap-from-git", action="store_true",
default=False, help="Use OpenSCAP from upstream instead of package")
openscap_group.add_argument("--openscap-from-koji", type=str,
help="Use OpenSCAP from Koji based on build ID (Fedora only)")
ssg_group.add_argument("--ssg-from-koji", type=str,
help="Use SCAP Security Guide from Koji based on build ID (Fedora only)")
ssg_group.add_argument("--ssg-from-git", action="store_true", default=False,
help="Use SCAP Security Guide from upstream instead of package")
daemon_group.add_argument("--daemon-from-local", action="store_true", default=False,
help="Use OpenSCAP Daemon from local working tree instead of package")
daemon_group.add_argument("--daemon-from-koji", type=str,
help="Use OpenSCAP Daemon from Koji based on build ID (Fedora only)")
args = parser.parse_args()
if (args.base != "fedora") and (args.openscap_from_koji != None
or args.ssg_from_koji != None or args.daemon_from_koji != None):
parser.error("Koji builds can be used only with fedora base image")
f = open("Dockerfile", "w")
# Fallback commands are set to RHEL if the configuration
# for user-defined base is not specified in respective dictionaries.
# That's because RHEL uses YUM that is older and most wider used.
install_command = install_commands.get(args.base, install_commands["rhel"])
builddep_package = builddep_packages.get(args.base, builddep_packages["rhel"])
builddep_command = builddep_commands.get(args.base, builddep_commands["rhel"])
# write out the Dockerfile
f.write("FROM {0}\n\n".format(args.base))
# add labels
for name, value in labels:
f.write("LABEL {0}=\"{1}\"\n".format(name, value))
f.write("\n")
# add environment variables
for var, val in env_variables:
f.write("ENV {0} {1}\n".format(var, val))
f.write("\n")
build_from_source = []
build_commands = []
koji_commands = []
install_from_koji = []
# OpenSCAP
if args.openscap_from_git:
packages.extend(["git", "libtool", "automake"])
build_from_source.append("openscap")
build_commands.append(openscap_build_command)
elif args.openscap_from_koji != None:
packages.extend(["koji"])
install_from_koji.append("openscap")
openscap_koji_command = [
"koji download-build -a x86_64 {0}".format(args.openscap_from_koji),
"koji download-build -a noarch {0}".format(args.openscap_from_koji),
"{0} -y install openscap-[0-9]*.rpm openscap-scanner*.rpm openscap-utils*.rpm openscap-containers*.rpm".format(install_command),
"rm -f openscap-*.rpm"
]
koji_commands.append(openscap_koji_command)
else:
packages.append("openscap-utils")
# SCAP Security Guide
if args.ssg_from_git:
packages.append("git")
build_from_source.append("scap-security-guide")
build_commands.append(ssg_build_command)
elif args.ssg_from_koji != None:
packages.extend(["koji"])
install_from_koji.append("scap-security-guide")
ssg_koji_command = [
"koji download-build -a noarch {0}".format(args.ssg_from_koji),
"{0} -y install scap-security-guide-[0-9]*.rpm".format(install_command),
"rm -f scap-security-guide*.rpm"
]
koji_commands.append(ssg_koji_command)
else:
packages.append("scap-security-guide")
# OpenSCAP Daemon
if args.daemon_from_local:
build_from_source.append("openscap-daemon")
build_commands.append(daemon_local_build_command)
files.append((".","/openscap-daemon"))
elif args.daemon_from_koji != None:
packages.extend(["koji"])
install_from_koji.append("openscap-daemon")
daemon_koji_command = [
"koji download-build -a noarch {0}".format(args.daemon_from_koji),
"{0} -y install openscap-daemon*.rpm".format(install_command),
"rm -f openscap-daemon*.rpm"
]
koji_commands.append(daemon_koji_command)
else:
packages.append("openscap-daemon")
# inject files
for filename, path in files:
f.write("ADD {0} {1}\n".format(filename, path))
f.write("\n")
if build_from_source:
packages.append(builddep_package)
if args.base != "fedora":
f.write("RUN rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm\n\n")
# add a command to install packages
f.write("RUN {0} -y install {1}\n\n".format(install_command, " ".join(set(packages))))
if build_from_source:
# install build dependencies
f.write("RUN {0} {1}\n\n".format(builddep_command, " ".join(build_from_source)))
if build_from_source:
# add commands for building from custom sources
for cmd in build_commands:
f.write("RUN {0}\n\n".format(delim.join(cmd)))
if install_from_koji:
for cmd in koji_commands:
f.write("RUN {0}\n\n".format(delim.join(cmd)))
# add RUN instruction that will download CVE feeds
f.write("RUN {0}\n\n".format(delim.join(download_cve_feeds_command)))
# clean package manager cache
f.write("RUN {0} clean all\n\n".format(install_command))
# add CMD instruction to the Dockerfile, including a comment
f.write("# It doesn't matter what is in the line below, atomic will change the CMD\n")
f.write("# before running it\n")
f.write('CMD ["/root/run.sh"]\n')
f.close()
if __name__ == "__main__":
main()
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/runwrapper.sh�����������������������������������������������������������������0000755�0001751�0000033�00000002411�13163222324�016013� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/bash
# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
# parent dir of this script
PARENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# add directory with "openscap_daemon" to $PYTHONPATH
export PYTHONPATH=$PARENT_DIR:$PYTHONPATH
# force python to print using utf-8
export PYTHONIOENCODING=UTF-8
export OSCAPD_CONFIG_FILE="$PARENT_DIR/tests/data_dir_template/config.ini"
export OSCAPD_SESSION_BUS="1"
if [ "x$RUNWRAPPER_NO_FORK" != "x1" ]; then
# fork a new shell to avoid polluting the environment
bash
fi
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/man/��������������������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�014024� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/man/oscapd-evaluate.8���������������������������������������������������������0000644�0001751�0000033�00000002224�13163222324�017172� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������.TH OSCAPD-EVALUATE "8" "March 2016" "Red Hat" "System Administration Utilities"
.SH NAME
oscapd-evaluate \- OpenSCAP-daemon one-off non-daemonized evaluator
.SH SYNOPSIS
\fBoscapd-evaluate\fR [\fI-h\fR] [\fI-v\fR] [\fI--verbose\fR] {config,xml,spec,target-cpes,target-profiles,scan}
.SS "positional arguments:"
.IP
{config,xml,spec,target\-cpes,target\-profiles,scan}
.TP
config
Generate default config file for oscapd and oscapd-evaluate.
.TP
xml
Evaluates Evaluation Spec from given XML input.
.TP
spec
Constructs Evaluation Spec from given parameters and evaluates it or outputs its XML.
.TP
target\-cpes
Detects CPEs of given target.
.TP
target\-profiles
Detects configuration compliance profiles from SCAP Security Guide applicable on given target.
.TP
scan
Performs CVE scan and/or configuration compliance evaluation of given targets. Outputs raw XML results and a summary JSON output.
.SS "optional arguments:"
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-v\fR, \fB\-\-version\fR
show program's version number and exit
.TP
\fB\-\-verbose\fR
Show debugging logging messages.
.SH AUTHORS
.nf
Martin Preisler
.fi
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/man/oscapd-cli.8��������������������������������������������������������������0000644�0001751�0000033�00000001657�13163222324�016144� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������.TH OSCAPD-CLI "8" "January 2016" "Red Hat" "System Administration Utilities"
.SH NAME
oscapd-cli \- OpenSCAP-daemon command line interface
.SH SYNOPSIS
\fBoscapd-cli\fR [\fI-h\fR] {eval,scan,task,task-create,status,result}
.SS "positional arguments:"
.IP
{eval,task,task\-create,status,result}
.TP
eval
Interactive one\-off evaluation of any target supported
by OpenSCAP Daemon
.TP
task
Show info about tasks that have already been defined.
Perform operations on already defined tasks.
.TP
task\-create
Create new task.
.TP
status
Displays status, tasks that are planned and tasks that
are being evaluated.
.TP
result
Displays info about past results
.SS "optional arguments:"
.TP
\fB\-h\fR, \fB\-\-help\fR
show this help message and exit
.TP
\fB\-v\fR, \fB\-\-version\fR
show program's version number and exit
.SH AUTHORS
.nf
Martin Preisler
Brent Baude
Zbynek Moravec
.fi
���������������������������������������������������������������������������������openscap-daemon-0.1.8/man/oscapd.8������������������������������������������������������������������0000644�0001751�0000033�00000001371�13163222324�015370� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������.TH OSCAPD "8" "Jan 2016" "Red Hat" "System Administration Utilities"
.SH NAME
oscapd \- OpenSCAP-daemon service
.SH SYNOPSIS
\fBoscapd\fR [\fI-h\fR] [\fI-v\fR] [\fI--verbose\fR]
.SH DESCRIPTION
\fBoscapd\fP is the central executable of OpenSCAP-daemon. When started it provides a dbus interface that other tools (such as oscapd-cli and atomic) can interact with.
In production environments it is not recommended to start the service directly, use \fBsystemctl start oscapd\fP instead.
.SH GENERAL OPTIONS
.TP
\fB\-v, \-\-version\fR
Show version.
.TP
\fB\-h, \-\-help\fR
Help screen.
.TP
\fB\-\-verbose\fR
Start in verbose mode.
.SH AUTHORS
.nf
Martin Preisler
Brent Baude
Zbynek Moravec
.fi
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/.gitignore��������������������������������������������������������������������0000644�0001751�0000033�00000001530�13163222324�015240� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
MANIFEST
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
# Translations
*.mo
*.pot
# Django stuff:
*.log
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# vim rope
.ropeproject/
# IntelliJ IDEA
.idea/
/static-analysis-output
/tests/data_dir_template/cve_feeds/
/tests/data_dir_template/results/
������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/pylint.cfg��������������������������������������������������������������������0000644�0001751�0000033�00000013720�13163222324�015254� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������[MASTER]
# Specify a configuration file.
#rcfile=
# Python code to execute, usually for sys.path manipulation such as
# pygtk.require().
#init-hook=
# Profiled execution.
profile=no
# Add files or directories to the blacklist. They should be base names, not
# paths.
ignore=.git
# Pickle collected data for later comparisons.
persistent=yes
# List of plugins (as comma separated values of python modules names) to load,
# usually to register additional checkers.
load-plugins=
[MESSAGES CONTROL]
# Enable the message, report, category or checker with the given id(s). You can
# either give multiple identifier separated by comma (,) or put this option
# multiple time.
#enable=
# Disable the message, report, category or checker with the given id(s). You
# can either give multiple identifier separated by comma (,) or put this option
# multiple time (only on the command line, not in the configuration file where
# it should appear only once).
# line too long, no docstring, too many members
disable=C0301, C0111, R0904
[REPORTS]
# Set the output format. Available formats are text, parseable, colorized, msvs
# (visual studio) and html
output-format=text
# Include message's id in output
include-ids=no
# Put messages in a separate file for each module / package specified on the
# command line instead of printing them on stdout. Reports (if any) will be
# written in a file name "pylint_global.[txt|html]".
files-output=no
# Tells whether to display a full report or only the messages
reports=yes
# Python expression which should return a note less than 10 (10 is the highest
# note). You have access to the variables errors warning, statement which
# respectively contain the number of errors / warnings messages and the total
# number of statements analyzed. This is used by the global evaluation report
# (RP0004).
evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)
# Add a comment according to your evaluation note. This is used by the global
# evaluation report (RP0004).
comment=no
[TYPECHECK]
# Tells whether missing members accessed in mixin class should be ignored. A
# mixin class is detected if its name ends with "mixin" (case insensitive).
ignore-mixin-members=yes
# List of classes names for which member attributes should not be checked
# (useful for classes with attributes dynamically set).
ignored-classes=
# When zope mode is activated, add a predefined set of Zope acquired attributes
# to generated-members.
zope=no
# List of members which are set dynamically and missed by pylint inference
# system, and so shouldn't trigger E0201 when accessed. Python regular
# expressions are accepted.
generated-members=REQUEST,acl_users,aq_parent
[BASIC]
# Required attributes for module, separated by a comma
required-attributes=
# List of builtins function names that should not be used, separated by a comma
bad-functions=map,filter,apply,input
# Good variable names which should always be accepted, separated by a comma
good-names=i,j,k,ex,_
# Bad variable names which should always be refused, separated by a comma
bad-names=foo,bar,baz,toto,tutu,tata
# Regular expression which should only match functions or classes name which do
# not require a docstring
no-docstring-rgx=__.*__
[SIMILARITIES]
# Minimum lines number of a similarity.
min-similarity-lines=4
# Ignore comments when computing similarities.
ignore-comments=yes
# Ignore docstrings when computing similarities.
ignore-docstrings=yes
[FORMAT]
# Maximum number of characters on a single line.
max-line-length=80
# Maximum number of lines in a module
max-module-lines=1000
# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
# tab).
indent-string=' '
[VARIABLES]
# Tells whether we should check for unused import in __init__ files.
init-import=no
# A regular expression matching the beginning of the name of dummy variables
# (i.e. not used).
dummy-variables-rgx=_|dummy
# List of additional names supposed to be defined in builtins. Remember that
# you should avoid to define new builtins when possible.
additional-builtins=
[MISCELLANEOUS]
# List of note tags to take in consideration, separated by a comma.
notes=FIXME,XXX,TODO
[CLASSES]
# List of interface methods to ignore, separated by a comma. This is used for
# instance to not check methods defines in Zope's Interface base class.
ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by
# List of method names used to declare (i.e. assign) instance attributes.
defining-attr-methods=__init__,__new__,setUp
[IMPORTS]
# Deprecated modules which should not be used, separated by a comma
deprecated-modules=regsub,string,TERMIOS,Bastion,rexec
# Create a graph of every (i.e. internal and external) dependencies in the
# given file (report RP0402 must not be disabled)
import-graph=
# Create a graph of external dependencies in the given file (report RP0402 must
# not be disabled)
ext-import-graph=
# Create a graph of internal dependencies in the given file (report RP0402 must
# not be disabled)
int-import-graph=
[DESIGN]
# Maximum number of arguments for function / method
max-args=5
# Argument names that match this expression will be ignored. Default to name
# with leading underscore
ignored-argument-names=_.*
# Maximum number of locals for function / method body
max-locals=15
# Maximum number of return / yield for function / method body
max-returns=6
# Maximum number of branch for function / method body
max-branchs=12
# Maximum number of statements in function / method body
max-statements=50
# Maximum number of parents for a class (see R0901).
max-parents=7
# Maximum number of attributes for a class (see R0902).
max-attributes=20
# Minimum number of public methods for a class (see R0903).
min-public-methods=2
# Maximum number of public methods for a class (see R0904).
max-public-methods=30
������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/��������������������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�016404� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/oscap_helpers.py����������������������������������������������0000644�0001751�0000033�00000040367�13163222324�021617� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import subprocess
import tempfile
import os.path
import logging
import io
from xml.etree import cElementTree as ElementTree
from openscap_daemon import et_helpers
from openscap_daemon.compat import subprocess_check_output
class EvaluationMode(object):
UNKNOWN = -1
SOURCE_DATASTREAM = 1
OVAL = 2
CVE_SCAN = 3
STANDARD_SCAN = 4
@staticmethod
def to_string(value):
if value == EvaluationMode.SOURCE_DATASTREAM:
return "sds"
elif value == EvaluationMode.OVAL:
return "oval"
elif value == EvaluationMode.CVE_SCAN:
return "cve_scan"
elif value == EvaluationMode.STANDARD_SCAN:
return "standard_scan"
else:
return "unknown"
@staticmethod
def from_string(value):
if value == "sds":
return EvaluationMode.SOURCE_DATASTREAM
elif value == "oval":
return EvaluationMode.OVAL
elif value == "cve_scan":
return EvaluationMode.CVE_SCAN
elif value == "standard_scan":
return EvaluationMode.STANDARD_SCAN
else:
return EvaluationMode.UNKNOWN
def get_profile_choices_for_input(input_file, tailoring_file):
# Ideally oscap would have a command line to do this, but as of now it
# doesn't so we have to implement it ourselves. Importing openscap Python
# bindings is nasty and overkill for this.
logging.debug(
"Looking for profile choices in '%s' with tailoring file '%s'.",
input_file, tailoring_file
)
ret = {}
def scrape_profiles(tree, namespace, dest):
# TODO support multiple benchmarks in one DataStream
benchmark = tree.find(".//{%s}Benchmark" % (namespace))
if benchmark is None:
return
for elem in benchmark.findall(".//{%s}Profile" % (namespace)):
id_ = elem.get("id")
if id_ is None:
continue
title = et_helpers.get_element_text(
elem, "{%s}title" % (namespace), ""
)
dest[id_] = title
try:
input_tree = ElementTree.parse(input_file)
except IOError:
# The file doesn't exist, therefore there are no profile options
logging.exception(
"IOError encountered while trying to determine profile choices "
"for '%s'.", input_file
)
return ret
except ElementTree.ParseError:
logging.exception(
"ParserError encountered while trying to determine profile choices "
"for '%s'.", input_file
)
return ret
scrape_profiles(
input_tree, "http://checklists.nist.gov/xccdf/1.1", ret
)
scrape_profiles(
input_tree, "http://checklists.nist.gov/xccdf/1.2", ret
)
if tailoring_file:
tailoring_tree = ElementTree.parse(tailoring_file)
scrape_profiles(
tailoring_tree, "http://checklists.nist.gov/xccdf/1.1", ret
)
scrape_profiles(
tailoring_tree, "http://checklists.nist.gov/xccdf/1.2", ret
)
ret[""] = "(default)"
logging.info(
"Found %i profile choices in '%s' with tailoring file '%s'.",
len(ret), input_file, tailoring_file
)
return ret
def get_generate_guide_args(spec, config):
ret = [config.oscap_path, "xccdf", "generate", "guide"]
ret.extend(spec.get_oscap_guide_arguments(config))
return ret
def generate_guide(spec, config):
if spec.mode not in [EvaluationMode.SOURCE_DATASTREAM,
EvaluationMode.STANDARD_SCAN]:
raise RuntimeError(
"Can't generate guide for an EvaluationSpec with mode '%s'. "
"Generating an HTML guide only works for 'sds' and 'standard_scan' "
"modes."
% (EvaluationMode.to_string(spec.mode))
)
if not spec.is_valid():
raise RuntimeError(
"Can't generate guide for an invalid EvaluationSpec."
)
args = get_generate_guide_args(spec, config)
logging.debug(
"Generating guide for evaluation spec with command '%s'.",
" ".join(args)
)
ret = subprocess_check_output(
args,
shell=False
).decode("utf-8")
logging.info("Generated guide for evaluation spec.")
return ret
def split_ssh_target(target):
if not target.startswith("ssh://") and not target.startswith("ssh+sudo://"):
raise RuntimeError(
"Can't split ssh target."
)
if target.startswith("ssh+sudo://"):
without_prefix = target[11:]
else:
without_prefix = target[6:]
if ":" in without_prefix:
host, port_str = without_prefix.split(":")
return host, int(port_str)
else:
return without_prefix, 22
def get_evaluation_args(spec, config):
ret = []
if spec.target == "localhost":
if config.oscap_path == "":
raise RuntimeError(
"Target '%s' requires the oscap tool which hasn't been found" %
(spec.target)
)
ret.extend([config.oscap_path])
elif spec.target.startswith("ssh://"):
if config.oscap_ssh_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-ssh tool which hasn't been "
"found" % (spec.target)
)
host, port = split_ssh_target(spec.target)
ret.extend([config.oscap_ssh_path, host, str(port)])
elif spec.target.startswith("ssh+sudo://"):
if config.oscap_ssh_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-ssh tool which hasn't been "
"found" % (spec.target)
)
host, port = split_ssh_target(spec.target)
ret.extend([config.oscap_ssh_path, '--sudo', host, str(port)])
elif spec.target.startswith("docker-image://"):
if config.oscap_ssh_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-docker tool which hasn't been "
"found" % (spec.target)
)
image_name = spec.target[len("docker-image://"):]
ret.extend([config.oscap_docker_path, "image", image_name])
elif spec.target.startswith("docker-container://"):
if config.oscap_ssh_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-docker tool which hasn't been "
"found" % (spec.target)
)
container_name = spec.target[len("docker-container://"):]
ret.extend([config.oscap_docker_path, "container", container_name])
elif spec.target.startswith("vm-domain://"):
if config.oscap_vm_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-vm tool which hasn't been "
"found" % (spec.target)
)
domain_name = spec.target[len("vm-domain://"):]
ret.extend([config.oscap_vm_path, "domain", domain_name])
elif spec.target.startswith("vm-image://"):
if config.oscap_vm_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-vm tool which hasn't been "
"found" % (spec.target)
)
storage_name = spec.target[len("vm-image://"):]
ret.extend([config.oscap_vm_path, "image", storage_name])
elif spec.target.startswith("chroot://"):
if config.oscap_chroot_path == "":
raise RuntimeError(
"Target '%s' requires the oscap-chroot tool which hasn't been "
"found" % (spec.target)
)
path = spec.target[len("chroot://"):]
ret.extend([config.oscap_chroot_path, path])
else:
raise RuntimeError(
"Unrecognized target '%s' in evaluation spec." % (spec.target)
)
ret.extend(spec.get_oscap_arguments(config))
return ret
def evaluate(spec, config):
"""Calls oscap to evaluate given task, creates a uniquely named directory
in given results_dir for it. Returns absolute path to that directory in
case of success.
Throws exception in case of failure.
"""
if not spec.is_valid():
raise RuntimeError("Can't evaluate an invalid EvaluationSpec.")
working_directory = tempfile.mkdtemp(
prefix="", suffix="",
dir=config.work_in_progress_dir
)
stdout_file = io.open(os.path.join(working_directory, "stdout"), "w",
encoding="utf-8")
stderr_file = io.open(os.path.join(working_directory, "stderr"), "w",
encoding="utf-8")
args = get_evaluation_args(spec, config)
logging.debug(
"Starting evaluation with command '%s'.",
" ".join(args)
)
exit_code = 1
try:
exit_code = subprocess.call(
args,
cwd=working_directory,
stdout=stdout_file,
stderr=stderr_file,
shell=False
)
except:
logging.exception(
"Failed to execute 'oscap' while evaluating EvaluationSpec."
)
stdout_file.flush()
stderr_file.flush()
with io.open(os.path.join(working_directory, "exit_code"), "w",
encoding="utf-8") as f:
f.write(u"%i" % (exit_code))
# Exit code 0 means evaluation was successful and machine is compliant.
# Exit code 1 means there was an error while evaluating.
# Exit code 2 means there were no errors but the machine is not compliant.
if exit_code == 0:
logging.info(
"Evaluated EvaluationSpec, exit_code=0."
)
# TODO: Assert that arf was generated
elif exit_code == 2:
logging.warning(
"Evaluated EvaluationSpec, exit_code=2."
)
# TODO: Assert that arf was generated
elif exit_code == 1:
logging.error(
"EvaluationSpec failed to evaluate, oscap returned 1 as exit code, "
"it may not be possible to get ARF/OVAL results or generate reports"
" for this result!"
)
# TODO: Assert that arf was NOT generated
else:
logging.error(
"Evaluated EvaluationSpec, unknown exit code %i!.", exit_code
)
return working_directory
def get_generate_report_args_for_results(spec, results_path, config):
if spec.mode == EvaluationMode.SOURCE_DATASTREAM:
# results_path is an ARF XML file
return [config.oscap_path, "xccdf", "generate", "report", results_path]
elif spec.mode == EvaluationMode.OVAL:
# results_path is an OVAL results XML file
return [config.oscap_path, "oval", "generate", "report", results_path]
elif spec.mode == EvaluationMode.CVE_SCAN:
# results_path is an OVAL results XML file
return [config.oscap_path, "oval", "generate", "report", results_path]
elif spec.mode == EvaluationMode.STANDARD_SCAN:
# results_path is an ARF XML file
return [config.oscap_path, "xccdf", "generate", "report", results_path]
else:
raise RuntimeError("Unknown evaluation mode")
def generate_report_for_result(spec, results_dir, result_id, config):
"""This function assumes that the ARF was generated using evaluate
in this same package. That's why we can avoid --datastream-id, ...
The behavior is undefined for generic ARFs!
"""
if not spec.is_valid():
raise RuntimeError("Can't generate report for any result of an "
"invalid EvaluationSpec.")
results_path = os.path.join(results_dir, str(result_id), "results.xml")
if not os.path.exists(results_path):
raise RuntimeError("Can't generate report for result '%s'. Expected "
"results XML at '%s' but the file doesn't exist."
% (result_id, results_path))
args = get_generate_report_args_for_results(spec, results_path, config)
logging.debug(
"Generating report for result %i of EvaluationSpec with command '%s'.",
result_id, " ".join(args)
)
ret = subprocess_check_output(
args,
shell=False
).decode("utf-8")
logging.info(
"Generated report for result %i of EvaluationSpec.", result_id
)
return ret
def get_status_from_exit_code(exit_code):
"""Returns human readable status based on given `oscap` exit_code
"""
status = "Unknown (exit_code = %i)" % (exit_code)
if exit_code == 0:
status = "Compliant"
elif exit_code == 1:
status = "Evaluation Error"
elif exit_code == 2:
status = "Non-Compliant"
return status
def _fix_type_to_template(fix_type):
fix_templates = {"bash": "urn:xccdf:fix:script:sh",
"ansible": "urn:xccdf:fix:script:ansible",
"puppet": "urn:xccdf:fix:script:puppet"}
template = fix_templates[fix_type]
return template
def _get_result_id(results_path):
tree = ElementTree.parse(results_path)
root = tree.getroot()
ns = {"xccdf": "http://checklists.nist.gov/xccdf/1.2"}
test_result = root.find(".//xccdf:TestResult", ns)
if test_result is None:
raise RuntimeError("Results XML '%s' doesn't contain any results."
% results_path)
return test_result.attrib["id"]
def generate_fix_for_result(config, results_path, fix_type):
if not os.path.exists(results_path):
raise RuntimeError("Can't generate fix for scan result. Expected "
"results XML at '%s' but the file doesn't exist."
% results_path)
result_id = _get_result_id(results_path)
template = _fix_type_to_template(fix_type)
args = [config.oscap_path, "xccdf", "generate", "fix",
"--result-id", result_id,
"--template", template,
results_path]
fix_text = subprocess_check_output(args).decode("utf-8")
return fix_text
def generate_html_report_for_result(config, results_path):
if not os.path.exists(results_path):
raise RuntimeError("Can't generate report for scan result. Expected "
"results XML at '%s' but the file doesn't exist."
% results_path)
result_id = _get_result_id(results_path)
args = [config.oscap_path, "xccdf", "generate", "report",
"--result-id", result_id, results_path]
report_text = subprocess_check_output(args).decode("utf-8")
return report_text
def generate_fix(spec, config, fix_type):
if spec.mode not in [EvaluationMode.SOURCE_DATASTREAM,
EvaluationMode.STANDARD_SCAN]:
raise RuntimeError(
"Can't generate fix for an EvaluationSpec with mode '%s'. "
"Generating a fix script only works for 'sds' and 'standard_scan' "
"modes."
% (EvaluationMode.to_string(spec.mode))
)
if not spec.is_valid():
raise RuntimeError(
"Can't generate fix for an invalid EvaluationSpec."
)
template = _fix_type_to_template(fix_type)
args = [config.oscap_path, "xccdf", "generate", "fix",
"--profile", spec.profile_id,
"--template", template,
spec.input_.file_path]
logging.debug(
"Generating fix script for evaluation spec with command '%s'.",
" ".join(args)
)
ret = subprocess_check_output(args).decode("utf-8")
logging.info("Generated fix script for evaluation spec.")
return ret
__all__ = [
"get_profile_choices_for_input",
"generate_guide",
"generate_fix",
"evaluate",
"generate_report_for_result",
"get_status_from_exit_code",
"generate_fix_for_result"
]
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/et_helpers.py�������������������������������������������������0000644�0001751�0000033�00000005076�13163222324�021120� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
def get_element_text(parent, element_name, default=None):
ret = None
for element in parent.findall(element_name):
if ret is not None:
raise RuntimeError(
"Found multiple '%s' elements." % (element_name)
)
ret = element.text
if ret is None:
return default
return ret
def get_element(parent, element_name):
ret = None
for element in parent.findall(element_name):
if ret is not None:
raise RuntimeError(
"Found multiple '%s' elements." %
(element_name)
)
ret = element
if ret is None:
raise RuntimeError(
"Found no element of tag '%s'!" %
(element_name)
)
return ret
def get_element_attr(parent, element_name, attr_name, default=None):
ret = None
for element in parent.findall(element_name):
if ret is not None:
raise RuntimeError(
"Found multiple '%s' elements with '%s' attributes." %
(element_name, attr_name)
)
ret = element.get(attr_name)
if ret is None:
return default
return ret
# taken from ElementLib and slightly tweaked for readability
def indent(elem, level=0, indent_char=" "):
i = "\n" + level * indent_char
if len(elem):
if not elem.text or not elem.text.strip():
elem.text = i + indent_char
last = None
for e in elem:
indent(e, level + 1)
if not e.tail or not e.tail.strip():
e.tail = i + indent_char
last = e
if not last.tail or not last.tail.strip():
last.tail = i
else:
if level and (not elem.tail or not elem.tail.strip()):
elem.tail = i
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/version.py����������������������������������������������������0000644�0001751�0000033�00000001765�13163222324�020454� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
VERSION_MAJOR = 0
VERSION_MINOR = 1
VERSION_PATCH = 8
VERSION_STRING = "%i.%i.%i" % (VERSION_MAJOR, VERSION_MINOR, VERSION_PATCH)
__all__ = ["VERSION_MAJOR", "VERSION_MINOR", "VERSION_PATCH", "VERSION_STRING"]
�����������openscap-daemon-0.1.8/openscap_daemon/async.py������������������������������������������������������0000644�0001751�0000033�00000012233�13163222324�020074� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import threading
import logging
import time
import sys
import traceback
if sys.version_info < (3,):
import Queue as queue
else:
import queue
class Status(object):
"""This enum describes status of async actions. Calls can be pending,
processing or done. When actions are done they are waiting for the caller
to collect the results and then they are deleted entirely.
"""
PENDING = 0
PROCESSING = 1
#DONE = 2
UNKNOWN = 3
@staticmethod
def from_string(status):
if status == "pending":
return Status.PENDING
elif status == "processing":
return Status.PROCESSING
#elif status == "done":
# return Status.DONE
return Status.UNKNOWN
@staticmethod
def to_string(status):
if status == Status.PENDING:
return "pending"
elif status == Status.PROCESSING:
return "processing"
#elif status == Status.DONE:
# return "done"
return "unknown"
class AsyncAction(object):
def __init__(self):
self.token = -1
self.status = Status.UNKNOWN
def run(self):
pass
def __str__(self):
return "Unknown action"
class AsyncManager(object):
"""Allows the user to enqueue asynchronous actions, gives the user a token
they can poll as often as they like and check status of the actions.
This is necessary to run many tasks in parallel and is necessary to make
the dbus API work smoothly. User calling dbus methods doesn't expect them
to take hours to finish. The calls themselves need to finish in seconds.
To make it work with OpenSCAP evaluations that regularly take tens of
minutes we create a task by the dbus call and then poll it.
"""
def _worker_main(self, worker_id):
while True:
priority, action = self.queue.get(True)
logging.debug(
"Worker %i starting action from the priority queue. "
"priority=%i, token=%i, action='%s'",
worker_id, priority, action.token, action
)
action.status = Status.PROCESSING
try:
action.run()
except BaseException as e:
logging.error("Action '%s' threw an exception that hasn't been "
"caught. This is most likely a bug, please"
"report it. %s" % (action, e))
exc_type, exc_value, tb = sys.exc_info()
traceback.print_tb(tb, file=sys.stderr)
self.queue.task_done()
with self.actions_lock:
del self.actions[action.token]
time.sleep(self.sleep_time)
def __init__(self, workers=0):
self.queue = queue.PriorityQueue()
self.sleep_time = 1
if workers == 0:
try:
import multiprocessing
workers = multiprocessing.cpu_count()
except NotImplementedError:
workers = 4
self.workers = []
for i in range(workers):
worker = threading.Thread(
name="AsyncManager worker (%i out of %i)" % (i, workers),
target=AsyncManager._worker_main,
args=(self, i)
)
worker.daemon = True
self.workers.append(worker)
worker.start()
self.last_token = 0
self.actions = {}
self.actions_lock = threading.Lock()
logging.debug("Initialized AsyncManager, %i workers",
len(self.workers))
def _allocate_token(self):
with self.actions_lock:
ret = self.last_token + 1
self.last_token = ret
assert(ret not in self.actions)
return ret
def enqueue(self, action, priority=0):
action.token = self._allocate_token()
action.status = Status.PENDING
with self.actions_lock:
self.actions[action.token] = action
self.queue.put((priority, action))
logging.debug("AsyncManager enqueued action '%s' with token %i",
action, action.token)
return action.token
def get_status(self):
ret = []
for token, action in self.actions.items():
ret.append((token, str(action), action.status))
return ret
def cancel(self, token):
raise NotImplementedError()
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/task.py�������������������������������������������������������0000644�0001751�0000033�00000047125�13163222324�017731� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon import et_helpers
from openscap_daemon import oscap_helpers
from openscap_daemon import evaluation_spec
from xml.etree import cElementTree as ElementTree
from datetime import datetime, timedelta
import os.path
import shutil
import threading
import logging
import io
class SlipMode(object):
"""This enum describes how to behave when scheduling repeated tasks.
Consider task 1 which is scheduled to run hourly every hour. Last run was
at 23:00. Schedule is to run 0:00, 1:00, 2:00, ... After last run, the
machine was turned off for 3 hours. Time is now 2:05.
With no_slip we will run 3 evaluations and the next schedule is 4:00.
With slip_missed we will run 1 evaluation and the next schedule is 4:05.
With slip_missed_aligned we will run 1 evaluation the next schedule is 4:00.
The de-facto standard is drop_missed_aligned. The tools will try their best
to be right on the timetable. In case of misses they will run one task ASAP
and try to adhere precisely to the timetable again.
"""
UNKNOWN = 0
NO_SLIP = 1
DROP_MISSED = 2
DROP_MISSED_ALIGNED = 3
@staticmethod
def from_string(slip_mode):
if slip_mode == "no_slip":
return SlipMode.NO_SLIP
elif slip_mode == "drop_missed":
return SlipMode.DROP_MISSED
elif slip_mode == "drop_missed_aligned":
return SlipMode.DROP_MISSED_ALIGNED
return SlipMode.UNKNOWN
@staticmethod
def to_string(slip_mode):
if slip_mode == SlipMode.NO_SLIP:
return "no_slip"
elif slip_mode == SlipMode.DROP_MISSED:
return "drop_missed"
elif slip_mode == SlipMode.DROP_MISSED_ALIGNED:
return "drop_missed_aligned"
return "unknown"
class Schedule(object):
def __init__(self):
self.not_before = None
self.repeat_after = 0
self.slip_mode = SlipMode.DROP_MISSED_ALIGNED
def is_equivalent_to(self, other):
return \
self.not_before == other.not_before and \
self.repeat_after == other.repeat_after and \
self.slip_mode == other.slip_mode
def load_from_xml_element(self, element):
schedule_not_before_attr = element.get("not_before")
# we expect UTC, no timezone shifts
if schedule_not_before_attr is not None:
self.not_before = datetime.strptime(
schedule_not_before_attr,
"%Y-%m-%dT%H:%M"
)
else:
self.not_before = None
schedule_repeat_after_attr = element.get("repeat_after")
if schedule_repeat_after_attr is not None:
self.repeat_after = int(schedule_repeat_after_attr)
else:
self.repeat_after = None
self.slip_mode = SlipMode.from_string(
element.get("slip_mode", "drop_missed_aligned")
)
def to_xml_element(self):
ret = ElementTree.Element("schedule")
if self.not_before is not None:
ret.set("not_before", self.not_before.strftime("%Y-%m-%dT%H:%M"))
ret.set("repeat_after", str(self.repeat_after))
ret.set("slip_mode", SlipMode.to_string(self.slip_mode))
return ret
def next_not_before(self, reference_datetime):
"""Calculates the next schedule_not_before based on
schedule_repeat_after and schedule_slip_mode.
"""
if self.not_before is None:
# the task is already disabled, no need to schedule next run
return None
if self.repeat_after is None:
# task repetition is disabled
return None
if self.slip_mode == SlipMode.NO_SLIP:
return self.not_before + timedelta(hours=self.repeat_after)
elif self.slip_mode == SlipMode.DROP_MISSED:
return reference_datetime + timedelta(hours=self.repeat_after)
elif self.slip_mode == SlipMode.DROP_MISSED_ALIGNED:
candidate = self.not_before + timedelta(hours=self.repeat_after)
while candidate <= reference_datetime:
candidate += timedelta(hours=self.repeat_after)
return candidate
else:
raise RuntimeError("Unrecognized slip_mode.")
class Task(object):
"""This class defined input content, tailoring, profile, ..., and schedule
for an SCAP evaluation task.
Example of a task:
Run USGCB evaluation on RHEL6 localhost machine, every day at 1:00.
Task is composed of EvaluationSpec and Schedule
"""
def __init__(self):
self.id_ = None
self.config_file = None
self.enabled = False
self.title = None
self.evaluation_spec = evaluation_spec.EvaluationSpec()
# How many results should we keep before pruning old results
# -1 means use the default from config
# -2 means never prune any results
self.max_results_to_keep = -1
self.schedule = Schedule()
# If True, this task will be evaluated once without affecting the
# schedule. This feature is important for test runs. This variable does
# not persist because it is not saved to the config file!
self.run_outside_schedule_once = False
# Prevents multiple updates of the same task running
self.update_lock = threading.Lock()
def __str__(self):
ret = "Task from config file '%s' with:\n" % (self.config_file)
ret += "- ID: \t%i\n" % (self.id_)
ret += "- title: \t%s\n" % (self.title)
ret += str(self.evaluation_spec) + "\n"
ret += "- max results to keep: \t%s\n" % \
("default" if self.max_results_to_keep == -1
else str(self.max_results_to_keep))
ret += "- schedule:\n"
ret += " - not before: \t%s\n" % (self.schedule.not_before)
ret += " - repeat after: \t%s\n" % (self.schedule.repeat_after)
ret += " - slip mode: \t%s\n" %\
(SlipMode.to_string(self.schedule.slip_mode))
return ret
def is_valid(self):
if not self.evaluation_spec.is_valid():
return False
return True
def is_equivalent_to(self, other):
"""Checks that both "Task self" and "Task other" are the same except for
id_ and config_file.
"""
return \
self.evaluation_spec.is_equivalent_to(other.evaluation_spec) and \
self.title == other.title and \
self.max_results_to_keep == other.max_results_to_keep and \
self.schedule.is_equivalent_to(other.schedule) and \
self.run_outside_schedule_once == other.run_outside_schedule_once
@staticmethod
def get_task_id_from_filepath(filepath):
filename, extension = os.path.splitext(
os.path.basename(filepath)
)
ret = int(filename)
assert(ret > 0)
return ret
def load_from_xml_element(self, root, config_file):
self.id_ = Task.get_task_id_from_filepath(config_file)
self.enabled = root.get("enabled", "false") == "true"
self.title = et_helpers.get_element_text(root, "title")
self.evaluation_spec = evaluation_spec.EvaluationSpec()
self.evaluation_spec.load_from_xml_element(
et_helpers.get_element(root, "evaluation_spec")
)
self.max_results_to_keep = \
int(et_helpers.get_element_text(root, "max-results-to-keep", "-1"))
self.schedule = Schedule()
self.schedule.load_from_xml_element(
et_helpers.get_element(root, "schedule")
)
self.config_file = config_file
def load(self, config_file):
tree = ElementTree.parse(config_file)
root = tree.getroot()
self.load_from_xml_element(root, config_file)
def reload(self):
if self.config_file is not None:
raise RuntimeError("Can't reload, config_file is not set.")
self.load(self.config_file)
def to_xml_element(self):
root = ElementTree.Element("task")
root.set("enabled", "true" if self.enabled else "false")
if self.title is not None:
title_element = ElementTree.Element("title")
title_element.text = self.title
root.append(title_element)
evaluation_spec_element = self.evaluation_spec.to_xml_element()
root.append(evaluation_spec_element)
if self.max_results_to_keep != -1:
max_results_element = ElementTree.Element("max-results-to-keep")
max_results_element.text = str(self.max_results_to_keep)
root.append(max_results_element)
schedule_element = self.schedule.to_xml_element()
root.append(schedule_element)
return root
def save_as(self, config_file):
root = self.to_xml_element()
et_helpers.indent(root)
xml_source = ElementTree.tostring(root, encoding="utf-8")
with io.open(config_file, "w", encoding="utf-8") as f:
f.write(u"\n")
f.write(xml_source.decode("utf-8"))
def save(self):
assert(self.config_file is not None)
self.save_as(self.config_file)
def next_schedule_not_before(self, reference_datetime):
# TODO: Get rid of this delegate
return self.schedule.next_not_before(reference_datetime)
def _get_task_results_dir(self, results_dir):
ret = os.path.join(results_dir, str(self.id_))
if not os.path.exists(ret):
os.mkdir(ret)
return ret
def list_result_ids(self, results_dir):
"""IDs are returned in reverse order sorted by strings as if they were
integers.
for example: ['10', '9', '8', '1']
"""
# The lambda is there to make sure we don't consider 2 "larger"
# than 10. For example to avoid sorted lists such as:
# ['9', '8', '10', '1'] where we wanted ['10', '9', '8', '1']
return sorted(
os.listdir(self._get_task_results_dir(results_dir)), reverse=True,
key=lambda s: (len(s), s)
)
def get_result_created_timestamp(self, result_id, config):
"""Return timestamp of result creation.
"""
# todo refactor - the path is used from many places
file_path = os.path.join(
self._get_task_results_dir(config.results_dir),
str(result_id),
"exit_code"
)
timestamp = os.path.getctime(file_path)
return timestamp
def _get_next_target_dir(self, results_dir):
# We may consider having a file that contains the last ID in the
# future. I considered that but right now I think a result with more
# than a few thousand results is unlikely. User will use results
# purging. Sorting a couple thousand results is still very quick.
# Having a file with the last ID makes this operation O(1) instead
# of O(n*log(n)).
# result_ids are guaranteed to be reverse sorted by int
result_ids = self.list_result_ids(results_dir)
last = 0
for last_candidate in result_ids:
try:
last = int(last_candidate)
break
except:
pass
ret = os.path.join(
self._get_task_results_dir(results_dir),
str(last + 1)
)
assert(not os.path.exists(ret))
return ret
def remove_results(self, config):
logging.debug("Removing all results of task '%s'.", self.id_)
task_results_dir = self._get_task_results_dir(config.results_dir)
shutil.rmtree(task_results_dir, False)
def remove_result(self, result_id, config):
# todo needs refactoring - the path is used from many places
result_path = os.path.join(
self._get_task_results_dir(config.results_dir),
str(result_id),
)
logging.debug(
"Removing ARF of result '%s' of task '%i', expected path '%s'.",
str(result_id), self.id_, result_path
)
shutil.rmtree(result_path, False)
logging.info(
"Removed result '%s' of task '%i'.", str(result_id), self.id_
)
def get_next_update_time(self, reference_datetime, log=False):
if not self.enabled:
if log:
logging.debug(
"Task '%i' is disabled, not updating it.", self.id_
)
return None
if self.run_outside_schedule_once:
if log:
logging.debug(
"Evaluating task '%i'. It was set to be run once outside "
"its schedule.", self.id_
)
return reference_datetime
if self.schedule.not_before is None:
if log:
logging.debug(
"Task '%i' is enabled but schedule.not_before is None. "
"It won't be run automatically.", self.id_
)
return self.schedule.not_before
def should_be_updated(self, reference_datetime, log=False):
next_update_time = self.get_next_update_time(reference_datetime, log)
if next_update_time is not None and \
next_update_time <= reference_datetime:
if log:
logging.debug(
"Evaluating task '%i'. It was scheduled to be "
"evaluated later than %s, reference_datetime %s is "
"higher than or equal.",
self.id_, next_update_time, reference_datetime
)
return True
return False
def prune_old_results(self, config):
max_results_to_keep = self.max_results_to_keep
if max_results_to_keep == -1:
max_results_to_keep = config.max_results_to_keep
if max_results_to_keep < 0:
# pruning is disabled
return
result_ids = self.list_result_ids(config.results_dir)
result_ids_to_remove = result_ids[max_results_to_keep:]
if result_ids_to_remove:
logging.info("Pruning old results of task '%i'...", self.id_)
for result_id in reversed(result_ids_to_remove):
self.remove_result(result_id, config)
def update(self, reference_datetime, config):
"""Figures out if the task should be run right now, alters the schedule
values accordingly.
reference datetime is passed mainly because of easier diagnostics.
It prevents some tasks being run and others not even though they have
the same not_before value.
Assumption: tick is never in parallel on the same Task. It can be run
in parallel on different tasks but at most once for 1 Task instance.
"""
with self.update_lock:
if not self.is_valid():
raise RuntimeError("Can't update an invalid Task.")
if self.should_be_updated(reference_datetime, True):
wip_result = self.evaluation_spec.evaluate_into_dir(config)
# We already have update_lock, there is no risk of a race
# condition between acquiring target dir and moving the results
# there.
target_dir = self._get_next_target_dir(config.results_dir)
logging.debug(
"Moving results of task '%s' from '%s' to '%s'.",
self.id_, wip_result, target_dir
)
shutil.move(wip_result, target_dir)
logging.info(
"Evaluated task '%s', new result in '%s'.",
self.id_, target_dir
)
if not self.run_outside_schedule_once:
self.schedule.not_before = \
self.schedule.next_not_before(reference_datetime)
self.save()
else:
self.run_outside_schedule_once = False
# we have one extra result, let's prune old results
self.prune_old_results(config)
def generate_guide(self, config):
return self.evaluation_spec.generate_guide(config)
def run_outside_schedule(self):
if not self.enabled:
raise RuntimeError(
"This task is disabled. Enable it first if you want to run it "
"once outside the schedule!"
)
if self.run_outside_schedule_once:
raise RuntimeError(
"This task was already scheduled to be run once "
"outside the schedule!"
)
self.run_outside_schedule_once = True
logging.info(
"Set task '%i' to be run once outside the schedule.", self.id_
)
def get_xml_of_result(self, result_id, config):
# TODO: This needs refactoring in the future, the secret that the file
# is called "results.xml" is all over the place.
path = os.path.join(
self._get_task_results_dir(config.results_dir),
str(result_id),
"results.xml"
)
logging.debug(
"Retrieving XML of result '%i' of task '%i', expected path '%s'.",
result_id, self.id_, path
)
ret = ""
with io.open(path, "r", encoding="utf-8") as f:
ret = f.read()
logging.info(
"Retrieved XML of result '%i' of task '%i'.",
result_id, self.id_
)
return ret
def get_stdout_of_result(self, result_id, config):
path = os.path.join(
self._get_task_results_dir(config.results_dir),
str(result_id),
"stderr"
)
ret = ""
with io.open(path, "r", encoding="utf-8") as f:
ret = f.read()
return ret
def get_stderr_of_result(self, result_id, config):
path = os.path.join(
self._get_task_results_dir(config.results_dir),
str(result_id),
"stderr"
)
ret = ""
with io.open(path, "r", encoding="utf-8") as f:
ret = f.read()
return ret
def get_exit_code_of_result(self, result_id, config):
path = os.path.join(
self._get_task_results_dir(config.results_dir),
str(result_id),
"exit_code"
)
ret = ""
with io.open(path, "r", encoding="utf-8") as f:
ret = f.read()
return int(ret.strip())
def generate_report_for_result(self, result_id, config):
return oscap_helpers.generate_report_for_result(
self.evaluation_spec,
self._get_task_results_dir(config.results_dir),
result_id,
config
)
def generate_fix_for_result(self, result_id, config, fix_type):
results_dir = self._get_task_results_dir(config.results_dir)
results_path = os.path.join(results_dir, str(result_id), "results.xml")
return oscap_helpers.generate_fix_for_result(
config,
results_path,
fix_type
)
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cli_helpers.py������������������������������������������������0000644�0001751�0000033�00000024603�13163222324�021254� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import sys
import os.path
import logging
from openscap_daemon import evaluation_spec
from xml.etree import cElementTree as ElementTree
if sys.version_info < (3,):
py2_raw_input = raw_input
else:
py2_raw_input = input
def print_table(table, first_row_header=True):
"""Takes given table - list of lists - and prints it as a table, using
ASCII characters for formatting.
The first row is formatted as a header.
I did consider using some python package or module to do this but that
would introduce additional dependencies. The functionality we need is simple
enough to write it ourselves.
"""
column_max_sizes = {}
for row in table:
for i, column_cell in enumerate(row):
if i not in column_max_sizes:
column_max_sizes[i] = 0
column_max_sizes[i] = \
max(column_max_sizes[i], len(str(column_cell)))
total_width = len(" | ".join(
[" " * max_size for max_size in column_max_sizes.values()]
))
start_row = 0
if first_row_header:
assert(len(table) > 0)
print("-+-".join(
"-" * max_size for max_size in column_max_sizes.values())
)
print(" | ".join(
[str(cell).ljust(column_max_sizes[table[start_row].index(cell)])
for cell in table[start_row]]
))
print("-+-".join(
"-" * max_size for max_size in column_max_sizes.values())
)
start_row += 1
for row in table[start_row:]:
print(" | ".join(
[str(cell).ljust(column_max_sizes[row.index(cell)])
for cell in row]
))
def cli_create_evaluation_spec(dbus_iface):
"""Interactively create EvaluationSpec and return it. Returns None if user
cancels the action.
"""
print("Creating EvaluationSpec interactively...")
print("")
try:
target = py2_raw_input("Target (empty for localhost): ")
if not target:
target = "localhost"
print("Found the following SCAP Security Guide content: ")
ssg_choices = dbus_iface.GetSSGChoices()
for i, ssg_choice in enumerate(ssg_choices):
print("\t%i: %s" % (i + 1, ssg_choice))
input_file = None
input_ssg_choice = py2_raw_input(
"Choose SSG content by number (empty for custom content): ")
if not input_ssg_choice:
input_file = py2_raw_input("Input file (absolute path): ")
else:
input_file = ssg_choices[int(input_ssg_choice) - 1]
input_file = os.path.abspath(input_file)
tailoring_file = py2_raw_input(
"Tailoring file (absolute path, empty for no tailoring): ")
if tailoring_file in [None, ""]:
tailoring_file = ""
else:
tailoring_file = os.path.abspath(tailoring_file)
print("Found the following possible profiles: ")
profile_choices = dbus_iface.GetProfileChoicesForInput(
input_file, tailoring_file
)
for i, (key, value) in enumerate(profile_choices.items()):
print("\t%i: %s (id='%s')" % (i + 1, value, key))
profile_choice = py2_raw_input(
"Choose profile by number (empty for (default) profile): ")
if profile_choice is not None:
profile = list(profile_choices.keys())[int(profile_choice) - 1]
else:
profile = None
online_remediation = False
if py2_raw_input("Online remediation (1, y or Y for yes, else no): ") \
in ["1", "y", "Y"]:
online_remediation = True
ret = evaluation_spec.EvaluationSpec()
ret.target = target
ret.input_.set_file_path(input_file)
if tailoring_file not in [None, ""]:
ret.tailoring.set_file_path(tailoring_file)
ret.profile_id = profile
ret.online_remediation = online_remediation
return ret
except KeyboardInterrupt:
return None
def preprocess_targets(targets, output_dir_map):
"""The main goal of this function is to expand chroots-in-dir:// to a list
of chroot:// targets. chroots-in-dir is a convenience function that the rest
of the OpenSCAP-daemon API doesn't know about.
The output_dir_map maps the processed targets to directories from
chroots-in-dir expansion.
"""
ret = []
for target in targets:
if target.startswith("chroots-in-dir://"):
logging.debug("Expanding target '%s'...", target)
dir_ = os.path.abspath(target[len("chroots-in-dir://"):])
for chroot in os.listdir(dir_):
full_path = os.path.abspath(os.path.join(dir_, chroot))
if not os.path.isdir(full_path):
continue
expanded_target = "chroot://" + full_path
logging.debug(" ... '%s'", expanded_target)
ret.append(expanded_target)
output_dir_map[expanded_target] = chroot
logging.debug("Finished expanding target '%s'.", target)
else:
ret.append(target)
return ret
def summarize_cve_results(oval_source, result_list):
"""Takes given OVAL source, assuming it is CVE feed OVAL results source,
and parses it. Each definition that has result 'true' is added to
result_list.
This is used to produce JSON output for atomic scan in
`oscapd-evaluate scan`.
"""
namespaces = {
"ovalres": "http://oval.mitre.org/XMLSchema/oval-results-5",
"ovaldef": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
}
oval_root = ElementTree.fromstring(oval_source.encode("utf-8"))
for result in oval_root.findall(
"ovalres:results/ovalres:system/"
"ovalres:definitions/*[@result='true']",
namespaces):
definition_id = result.get("definition_id")
assert(definition_id is not None)
definition_meta = oval_root.find(
"./ovaldef:oval_definitions/ovaldef:definitions/*[@id='%s']/"
"ovaldef:metadata" % (definition_id),
namespaces
)
assert(definition_meta is not None)
title = definition_meta.find("ovaldef:title", namespaces)
# there can only be one RHSA per definition
rhsa = definition_meta.find("ovaldef:reference[@source='RHSA']",
namespaces)
# there can be one or more CVEs per definition
cves = definition_meta.findall("ovaldef:reference[@source='CVE']",
namespaces)
description = definition_meta.find("ovaldef:description", namespaces)
severity = definition_meta.find("ovaldef:advisory/ovaldef:severity",
namespaces)
result_json = {}
result_json["Title"] = title.text if title is not None else "unknown"
result_json["Description"] = \
description.text if description is not None else "unknown"
result_json["Severity"] = \
severity.text if severity is not None else "unknown"
custom = {}
if rhsa is not None:
custom["RHSA ID"] = rhsa.get("ref_id", "unknown")
custom["RHSA URL"] = rhsa.get("ref_url", "unknown")
if len(cves) > 0:
custom["Associated CVEs"] = []
for cve in cves:
custom["Associated CVEs"].append(
{"CVE ID": cve.get("ref_id", "unknown"),
"CVE URL": cve.get("ref_url", "unknown")}
)
result_json["Custom"] = custom
result_list.append(result_json)
def summarize_standard_compliance_results(arf_source, result_list, profile):
"""Takes given ARF XML source and parses it. Each Rule that doesn't have
result 'pass', 'fixed', 'informational', 'notselected' or 'notapplicable'
is added to result_list.
This is used to produce JSON output for atomic scan in
`oscapd-evaluate scan`.
"""
namespaces = {
"cdf": "http://checklists.nist.gov/xccdf/1.2",
}
arf_root = ElementTree.fromstring(arf_source.encode("utf-8"))
test_result = arf_root.find(
".//cdf:TestResult[@id='%s']" %
# this ID prefix is hardcoded in oscap
("xccdf_org.open-scap_testresult_" + profile), namespaces
)
benchmark = arf_root.find(".//cdf:Benchmark", namespaces)
for rule_result in test_result.findall("./cdf:rule-result", namespaces):
result = rule_result.find("cdf:result", namespaces).text
if result in ["pass", "fixed", "informational", "notselected",
"notapplicable"]:
continue
rule_id = rule_result.get("idref")
assert(rule_id is not None)
rule = benchmark.find(".//cdf:Rule[@id='%s']" % (rule_id), namespaces)
assert(rule is not None)
title = rule.find("cdf:title", namespaces)
description = rule.find("cdf:description", namespaces)
severity = rule.get("severity", "Unknown")
if severity in "low":
severity = "Low"
elif severity == "medium":
severity = "Moderate"
elif severity == "high":
severity = "Important"
else: # "info", a valid XCCDF severity falls here
severity = "Unknown"
result_json = {}
result_json["Title"] = title.text if title is not None else "unknown"
if description is None:
result_json["Description"] = "unknown"
else:
result_json["Description"] = ElementTree.tostring(description, method="text").decode("utf-8")
result_json["Severity"] = severity
result_json["Custom"] = {"XCCDF result": result}
result_list.append(result_json)
�����������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/system.py�����������������������������������������������������0000644�0001751�0000033�00000053277�13163222324�020320� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import os
import os.path
from datetime import datetime
import threading
import logging
from openscap_daemon.task import Task
from openscap_daemon.config import Configuration
from openscap_daemon import oscap_helpers
from openscap_daemon import async
class ResultsNotAvailable(Exception):
def __init__(self):
super(ResultsNotAvailable, self).__init__()
EVALUATION_PRIORITY = 0
TASK_ACTION_PRIORITY = 10
class System(object):
def __init__(self, config_file):
self.async = async.AsyncManager()
logging.info("Loading configuration from '%s'.", config_file)
self.config = Configuration()
self.config.load(config_file)
self.config.autodetect_tool_paths()
self.config.autodetect_content_paths()
self.config.prepare_dirs()
self.config.sanity_check()
self.async_eval_spec_results = dict()
self.async_eval_spec_results_lock = threading.Lock()
self.tasks = dict()
self.tasks_lock = threading.Lock()
# a set of tasks that have already been scheduled, we keep this so that
# we don't schedule a task twice in a row
self.tasks_scheduled = set()
self.update_wait_cond = threading.Condition()
self.async_eval_cve_scanner_worker_results = dict()
self.async_eval_cve_scanner_worker_results_lock = threading.Lock()
def get_ssg_choices(self):
ret = []
if self.config.ssg_path == "":
return ret
if not os.path.isdir(self.config.ssg_path):
return ret
for ssg_file in os.listdir(self.config.ssg_path):
full_path = os.path.join(self.config.ssg_path, ssg_file)
if not os.path.isfile(full_path):
continue
if not full_path.endswith("-ds.xml"):
continue
ret.append(full_path)
return sorted(ret)
def get_profile_choices_for_input(self, input_file, tailoring_file):
return oscap_helpers.get_profile_choices_for_input(
input_file, tailoring_file
)
class AsyncEvaluateSpecAction(async.AsyncAction):
def __init__(self, system, spec):
super(System.AsyncEvaluateSpecAction, self).__init__()
self.system = system
self.spec = spec
def run(self):
arf, stdout, stderr, exit_code = \
self.spec.evaluate(self.system.config)
with self.system.async_eval_spec_results_lock:
self.system.async_eval_spec_results[self.token] = \
(arf, stdout, stderr, exit_code)
def __str__(self):
return "Evaluate Spec '%s'" % (self.spec)
def evaluate_spec_async(self, spec):
return self.async.enqueue(
System.AsyncEvaluateSpecAction(
self,
spec
),
EVALUATION_PRIORITY
)
def get_evaluate_spec_async_results(self, token):
with self.async_eval_spec_results_lock:
if token not in self.async_eval_spec_results:
raise ResultsNotAvailable()
arf, stdout, stderr, exit_code = self.async_eval_spec_results[token]
del self.async_eval_spec_results[token]
return arf, stdout, stderr, exit_code
def load_tasks(self):
logging.info("Loading task definitions from '%s'...",
self.config.tasks_dir)
task_files = os.listdir(self.config.tasks_dir)
task_count = 0
for task_file in task_files:
if not task_file.endswith(".xml"):
logging.warning(
"Found '%s' in task definitions directory '%s'. Paths "
"not ending with '.xml' are unexpected in the task "
"definitions directory ", task_file, self.config.tasks_dir
)
continue
full_path = os.path.join(self.config.tasks_dir, task_file)
if not os.path.isfile(full_path):
logging.warning(
"Found '%s' in task definitions directory '%s'. This path "
"is not a file. Only files are expected in the task "
"definitions directory ", full_path, self.config.tasks_dir
)
continue
id_ = Task.get_task_id_from_filepath(full_path)
with self.tasks_lock:
if id_ not in self.tasks:
self.tasks[id_] = Task()
self.tasks[id_].load(full_path)
task_count += 1
with self.update_wait_cond:
self.update_wait_cond.notify_all()
logging.info(
"Successfully loaded %i task definitions.", task_count
)
def save_tasks(self):
logging.info("Saving task definitions to '%s'...",
self.config.tasks_dir)
task_count = 0
with self.tasks_lock:
for _, task in self.tasks.items():
task.save()
task_count += 1
logging.info(
"Successfully saved %i task definitions.", task_count
)
def list_task_ids(self):
ret = []
with self.tasks_lock:
ret = self.tasks.keys()
return ret
def create_task(self):
task_id = 1
with self.tasks_lock:
while task_id in self.tasks:
task_id += 1
task = Task()
task.id_ = task_id
task.config_file = os.path.join(
self.config.tasks_dir, "%i.xml" % (task_id)
)
self.tasks[task_id] = task
# We do not save the task on purpose, empty tasks are worthless.
# The task will be saved to disk as soon as one of its properties is
# set.
# task.save()
logging.info("Created a new empty task with ID '%i'.", task_id)
# Do not notify the update_wait_cond, the task is disabled so it
# doesn't affect the schedule in any way
# with self.update_wait_cond:
# self.update_wait_cond.notify_all()
return task_id
def remove_task(self, task_id, remove_results):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
if task.enabled:
raise RuntimeError(
"Can't remove enabled task '%i'. Please disable it first." %
(task_id)
)
if not remove_results:
result_ids = task.list_result_ids(self.config.results_dir)
if len(result_ids) > 0:
raise RuntimeError(
"Can't remove task '%i', in has %i results stored. "
"Please remove all the results first." %
(task_id, len(result_ids))
)
else:
logging.debug("Remove task results before.")
task.remove_results(self.config)
del self.tasks[task_id]
os.remove(self._get_task_file_path(task_id))
logging.info("Removed task '%i'.", task_id)
def _get_task_file_path(self, task_id):
return os.path.join(self.config.tasks_dir, "%i.xml" % (task_id))
def remove_task_results(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.remove_results(self.config)
def remove_task_result(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.remove_result(result_id, self.config)
def set_task_enabled(self, task_id, enabled):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.enabled = bool(enabled)
task.save()
logging.info(
"%s task with ID %i.",
"Enabled" if enabled else "Disabled", task_id
)
if task.enabled:
with self.update_wait_cond:
self.update_wait_cond.notify_all()
def get_task_enabled(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.enabled
def set_task_title(self, task_id, title):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.title = title
task.save()
logging.info("Set title of task with ID %i to '%s'.", task_id, title)
def get_task_title(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.title
def set_task_target(self, task_id, target):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.evaluation_spec.target = target
task.save()
logging.info("Set target of task with ID %i to '%s'.", task_id, target)
def get_task_target(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.evaluation_spec.target
def get_task_created_timestamp(self, task_id):
task_path = self._get_task_file_path(task_id)
return os.path.getctime(task_path)
def get_task_modified_timestamp(self, task_id):
task_path = self._get_task_file_path(task_id)
return os.path.getmtime(task_path)
def set_task_input(self, task_id, input_):
"""input can be an absolute file path or the XML source itself. This is
autodetected.
"""
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
if input_ is None or os.path.isabs(input_):
task.evaluation_spec.input_.set_file_path(input_)
logging.info(
"Set input content of task with ID %i to file '%s'.",
task_id, input_
)
else:
task.evaluation_spec.input_.set_contents(input_)
logging.info(
"Set input content of task with ID %i to custom XML.",
task_id
)
task.save()
def set_task_tailoring(self, task_id, tailoring):
"""tailoring can be an absolute file path or the XML source itself.
This is autodetected.
"""
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
if tailoring is None or os.path.isabs(tailoring):
task.evaluation_spec.tailoring.set_file_path(tailoring)
logging.info(
"Set tailoring content of task with ID %i to file '%s'.",
task_id, tailoring
)
else:
task.evaluation_spec.tailoring.set_contents(tailoring)
logging.info(
"Set tailoring content of task with ID %i to custom XML.",
task_id
)
task.save()
def set_task_profile_id(self, task_id, profile_id):
task = None
if profile_id == "":
profile_id = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.evaluation_spec.profile_id = profile_id
task.save()
logging.info(
"Set profile ID of task with ID %i to '%s'.", task_id, profile_id
)
def set_task_online_remediation(self, task_id, remediation_enabled):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.evaluation_spec.online_remediation = bool(remediation_enabled)
task.save()
logging.info(
"%s online remediation of task with ID %i.",
"Enabled" if remediation_enabled else "Disabled", task_id
)
def set_task_schedule_not_before(self, task_id, schedule_not_before):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.schedule.not_before = schedule_not_before
task.save()
logging.info(
"Set schedule not before of task with ID %i to %s.",
task_id, schedule_not_before
)
# This changes the schedule which potentially obsoletes the precomputed
# schedule. Make sure we re-schedule everything.
if task.enabled:
with self.update_wait_cond:
self.update_wait_cond.notify_all()
def set_task_schedule_repeat_after(self, task_id, schedule_repeat_after):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
with task.update_lock:
task.schedule.repeat_after = schedule_repeat_after
task.save()
logging.info(
"Set schedule repeat after of task with ID %i to %s.",
task_id, schedule_repeat_after
)
# This changes the schedule which potentially obsoletes the precomputed
# schedule. Make sure we re-schedule everything.
if task.enabled:
with self.update_wait_cond:
self.update_wait_cond.notify_all()
def get_closest_datetime(self, reference_datetime):
ret = None
with self.tasks_lock:
for task in self.tasks.values():
if task.id_ in self.tasks_scheduled:
continue
next_update_time = task.get_next_update_time(reference_datetime)
if next_update_time is None:
continue
if ret is None or next_update_time < ret:
ret = next_update_time
return ret
class AsyncUpdateTaskAction(async.AsyncAction):
def __init__(self, system, task_id, reference_datetime):
super(System.AsyncUpdateTaskAction, self).__init__()
self.system = system
self.task_id = task_id
self.reference_datetime = reference_datetime
def run(self):
task = None
with self.system.tasks_lock:
task = self.system.tasks[self.task_id]
task.update(self.reference_datetime, self.system.config)
with self.system.tasks_lock:
self.system.tasks_scheduled.remove(task.id_)
def __str__(self):
return "Update Task '%i' with reference_datetime='%s'" \
% (self.task_id, self.reference_datetime)
def schedule_tasks(self, reference_datetime=None):
"""Evaluates all currently outstanding tasks and returns.
Outstanding task means it's not_before is lower than reference_datetime,
and it is not disabled. Tasks can be processed in parallel if their
targets differ. No two tasks with the same target will be run in
parallel regardless of max_jobs setting.
reference_datetime - Which date/time should be used to plan tasks.
max_jobs - Use at most this amount of threads to evaluate.
"""
if reference_datetime is None:
reference_datetime = datetime.utcnow()
logging.debug(
"Scheduling task updates, reference_datetime='%s'.",
str(reference_datetime)
)
with self.tasks_lock:
for task in self.tasks.values():
if task.id_ in self.tasks_scheduled:
continue
if task.should_be_updated(reference_datetime):
self.tasks_scheduled.add(task.id_)
self.async.enqueue(
System.AsyncUpdateTaskAction(
self,
task.id_,
reference_datetime
),
TASK_ACTION_PRIORITY
)
def schedule_tasks_worker(self):
while True:
reference_datetime = datetime.now()
closest_datetime = self.get_closest_datetime(reference_datetime)
if closest_datetime is None:
with self.update_wait_cond:
logging.debug(
"No task is scheduled to run. Sleeping for an hour. "
"Interruptible if task specs change."
)
self.update_wait_cond.wait(60 * 60)
else:
time_to_wait = closest_datetime - reference_datetime
# because of ntp, daylight savings, etc, lets be safe
# and reschedule every hour at least
seconds_to_wait = min(60 * 60, time_to_wait.total_seconds())
if seconds_to_wait > 0:
with self.update_wait_cond:
logging.debug(
"Closest task action in %s. Sleeping until then. "
"Interruptible if task specs change.", time_to_wait
)
self.update_wait_cond.wait(seconds_to_wait)
self.schedule_tasks(reference_datetime)
def generate_guide_for_task(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.evaluation_spec.generate_guide(self.config)
def generate_fix_for_task(self, task_id, fix_type):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.evaluation_spec.generate_fix(self.config, fix_type)
def run_task_outside_schedule(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
task.run_outside_schedule()
with self.update_wait_cond:
self.update_wait_cond.notify_all()
def get_task_result_ids(self, task_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
# TODO: Is this a race condition? look into task.update
return task.list_result_ids(self.config.results_dir)
def get_task_result_created_timestamp(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.get_result_created_timestamp(result_id, self.config)
def get_xml_of_task_result(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.get_xml_of_result(result_id, self.config)
def get_stdout_of_task_result(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.get_stdout_of_result(result_id, self.config)
def get_stderr_of_task_result(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.get_stderr_of_result(result_id, self.config)
def get_exit_code_of_task_result(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.get_exit_code_of_result(result_id, self.config)
def generate_report_for_task_result(self, task_id, result_id):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.generate_report_for_result(
result_id,
self.config
)
def generate_fix_for_task_result(self, task_id, result_id, fix_type):
task = None
with self.tasks_lock:
task = self.tasks[task_id]
return task.generate_fix_for_result(
result_id,
self.config,
fix_type
)
class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction):
def __init__(self, system, worker):
super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__()
self.system = system
self.worker = worker
def run(self):
json_result = self.worker.start_application()
with self.system.async_eval_cve_scanner_worker_results_lock:
self.system.async_eval_cve_scanner_worker_results[self.token] = \
json_result
def __str__(self):
return "Evaluate CVE Scanner Worker '%s'" % (self.worker)
def evaluate_cve_scanner_worker_async(self, worker):
return self.async.enqueue(
System.AsyncEvaluateCVEScannerWorkerAction(
self,
worker
),
EVALUATION_PRIORITY
)
def get_evaluate_cve_scanner_worker_async_results(self, token):
with self.async_eval_cve_scanner_worker_results_lock:
if token not in self.async_eval_cve_scanner_worker_results:
raise ResultsNotAvailable()
json_results = self.async_eval_cve_scanner_worker_results[token]
del self.async_eval_cve_scanner_worker_results[token]
return json_results
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/��������������������������������������������������0000755�0001751�0000033�00000000000�13163222324�020672� 5����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/generate_summary.py�������������������������������0000644�0001751�0000033�00000023275�13163222324�024624� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
'''
Functions used by the docker_scanner to
generate the results dict from the oscap results.xml files
'''
import xml.etree.ElementTree as ET
from collections import namedtuple
from openscap_daemon.cve_scanner.scanner_error import ImageScannerClientError
import json
import sys
if sys.version_info < (3,):
import urlparse
else:
import urllib.parse as urlparse
class Create_Summary(object):
''' Class that provides the functions '''
_cve_tuple = namedtuple('oval_cve', ['title', 'severity', 'cve_ref_id',
'cve_ref_url', 'rhsa_ref_id', 'rhsa_ref_url',
'cve', 'description'])
def __init__(self):
self.containers = None
self.images = None
self.cve_info = None
def _get_root(self, result_file):
'''
Returns an ET object for the input XML which can be a file
or a URL pointing to an xml file
'''
from openscap_daemon.cve_scanner.image_scanner_client import Client
if result_file.startswith("http://"):
split_url = urlparse.urlsplit(result_file)
image_scanner = Client(split_url.hostname, port=split_url.port)
result_tree = image_scanner.getxml(result_file)
else:
result_tree = ET.parse(result_file)
return result_tree.getroot()
def _get_list_cve_def_ids(self, _root):
'''Returns a list of cve definition ids in the result file'''
_def_id_list = []
definitions = _root.findall("{http://oval.mitre.org/XMLSchema/"
"oval-results-5}results/{http://oval.mitre"
".org/XMLSchema/oval-results-5}system/{"
"http://oval.mitre.org/XMLSchema/oval-"
"results-5}definitions/*[@result='true']")
for def_id in definitions:
_def_id_list.append(def_id.attrib['definition_id'])
return _def_id_list
def _get_cve_def_info(self, _def_id_list, _root):
'''
Returns a list of tuples that contain information about the
cve themselves. Currently return are: title, severity, ref_id
and ref_url for the cve and rhsa, the cve id, and description
'''
cve_info_list = []
for def_id in _def_id_list:
oval_defs = _root.find("{http://oval.mitre.org/XMLSchema/oval-"
"definitions-5}oval_definitions/{http://"
"oval.mitre.org/XMLSchema/oval-definitions-"
"5}definitions/*[@id='%s']/{http://oval."
"mitre.org/XMLSchema/oval-definitions-5}"
"metadata" % def_id)
# title
title = oval_defs.find("{http://oval.mitre.org/XMLSchema/oval-"
"definitions-5}title").text
rhsa_meta = oval_defs.find("{http://oval.mitre.org/XMLSchema/oval"
"-definitions-5}reference[@source="
"'RHSA']")
cve_meta = oval_defs.find("{http://oval.mitre.org/XMLSchema/oval-"
"definitions-5}reference[@source='CVE']")
# description
description = oval_defs.find("{http://oval.mitre.org/XMLSchema/"
"oval-definitions-5}description").text
# severity
severity = oval_defs.find("{http://oval.mitre.org/XMLSchema/oval-"
"definitions-5}advisory/{http://oval."
"mitre.org/XMLSchema/oval-definitions"
"-5}severity").text
cve_info_list.append(
self._cve_tuple(title=title, severity=severity,
cve_ref_id=None if cve_meta is None
else cve_meta.attrib['ref_id'],
cve_ref_url=None if cve_meta is None
else cve_meta.attrib['ref_url'],
rhsa_ref_id=rhsa_meta.attrib['ref_id'],
rhsa_ref_url=rhsa_meta.attrib['ref_url'],
cve=def_id.replace(
"oval:com.redhat.rhsa:def:", ""),
description=description))
return cve_info_list
def get_cve_info(self, result_file):
'''
Wrapper function to return a list of tuples with
cve information from the xml input file
'''
_root = self._get_root(result_file)
_id_list = self._get_list_cve_def_ids(_root)
return self._get_cve_def_info(_id_list, _root)
def _return_cve_dict_info(self, title):
'''
Returns a dict containing the specific details of a cve which
includes title, rhsa/cve ref_ids and urls, cve number, and
description.
'''
cve_tuple = [cved for cved in self.cve_info if cved.title == title][0]
cve_dict_info = {'cve_title': cve_tuple.title,
'cve_ref_id': cve_tuple.cve_ref_id,
'cve_ref_url': cve_tuple.cve_ref_url,
'rhsa_ref_id': cve_tuple.rhsa_ref_id,
'rhsa_ref_url': cve_tuple.rhsa_ref_url,
'cve': cve_tuple.cve
}
return cve_dict_info
def _summarize_docker_object(self, result_file, docker_json, item_id):
'''
takes a result.xml file and a docker state json file and
compares output to give an analysis of a given scan
'''
self.cve_info = self.get_cve_info(result_file)
affected_image = 0
affected_children = []
is_image = self.is_id_an_image(item_id, docker_json)
summary = {}
if is_image:
summary['scanned_image'] = item_id
affected_image = item_id
affected_children = self._process_image(affected_image,
docker_json)
else:
summary['scanned_container'] = item_id
affected_children, affected_image = \
self._process_container(docker_json, item_id)
summary['image'] = affected_image
summary['containers'] = affected_children
scan_results = {}
for cve in self.cve_info:
_cve_specifics = self._return_cve_dict_info(cve.title)
if cve.severity not in scan_results:
scan_results[cve.severity] = \
{'num': 1,
'cves': [_cve_specifics]}
else:
scan_results[cve.severity]['num'] += 1
scan_results[cve.severity]['cves'].append(_cve_specifics)
summary['scan_results'] = scan_results
# self.debug_json(summary)
return summary
def _process_container(self, docker_json, item_id):
'''
Returns containers with the same base image
as a list
'''
affected_children = []
for image_id in docker_json['docker_state']:
for containers in docker_json['docker_state'][image_id]:
if item_id == containers['uuid']:
base_image = image_id
for containers in docker_json['docker_state'][base_image]:
affected_children.append(containers['uuid'])
return affected_children, base_image
# Deprecate or rewrite
def _process_image(self, affected_image, docker_json):
'''
Returns containers with a given base
as a list
'''
affected_children = []
# Catch an image that has no containers
if affected_image not in docker_json['docker_state']:
return []
# It has children containers
for containers in docker_json['docker_state'][affected_image]:
affected_children.append(containers['uuid'])
return affected_children
def is_id_an_image(self, docker_id, docker_obj):
'''
helper function that uses the docker_state_file to validate if the
given item_id is a container or image id
'''
if self.containers is None or self.images is None:
self.containers = docker_obj['host_containers']
self.images = docker_obj['host_images']
if docker_id in self.images:
return True
elif docker_id in self.containers:
return False
else:
# Item was not found in the docker state file
error_msg = 'The provided openscap xml result file was ' \
'not generated from the same run as the ' \
'docker state file '
raise ImageScannerClientError(error_msg)
def debug_json(self, json_data):
''' Pretty prints a json object for debug purposes '''
print(json.dumps(json_data, indent=4, separators=(',', ': ')))
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/image_scanner_client.py���������������������������0000644�0001751�0000033�00000040205�13163222324�025376� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
''' Image scanner API '''
from openscap_daemon.cve_scanner.scanner_error import ImageScannerClientError
import json
import xml.etree.ElementTree as ET
import collections
import os
import sys
from multiprocessing.dummy import Pool as ThreadPool
# TODO: External dep, verify that we really need it!
import requests
if sys.version_info < (3,):
import urlparse
import ConfigParser
else:
import urllib.parse as urlparse
import configparser as ConfigParser
class Client(requests.Session):
''' The image-scanner client API '''
request_headers = {'content-type': 'application/json'}
def __init__(self, host, port=5001, number=2):
'''
When instantiating, pass in the host and optionally
the port and threading counts
'''
super(Client, self).__init__()
self.host = "http://{0}:{1}" .format(host, port)
self.api_path = "image-scanner/api"
self.num_threads = number
self.client_common = ClientCommon()
def scan_all_containers(self, onlyactive=False):
''' Scans all containers and returns results in json'''
url = urlparse.urljoin(self.host, self.api_path + "/scan")
con_scan = 'allcontainers' if onlyactive is False else 'onlyactive'
params = {con_scan: True, 'number': self.num_threads}
results = self._get_results(url, data=json.dumps(params))
self._check_result(results)
return json.loads(results.text)
def scan_list(self, scan_list):
'''
Scans a list of containers/images by name or id and returns
results in json
'''
if not isinstance(scan_list, list):
raise ImageScannerClientError("You must pass input in list form")
url = urlparse.urljoin(self.host, self.api_path + "/scan")
params = {'scan': scan_list, 'number': self.num_threads}
results = self._get_results(url, data=json.dumps(params))
self._check_result(results)
return json.loads(results.text)
def scan_images(self, all=False):
'''Scans all images and returns results in json'''
url = urlparse.urljoin(self.host, self.api_path + "/scan")
if all:
params = {'allimages': True, 'number': self.num_threads}
else:
params = {'images': True, 'number': self.num_threads}
results = self._get_results(url, data=json.dumps(params))
self._check_result(results)
return json.loads(results.text)
def inspect_container(self, cid):
'''Inspects a container and returns all results in json'''
url = urlparse.urljoin(self.host, self.api_path + "/inspect_container")
results = self._get_results(url, data=json.dumps({'cid': cid}))
return json.loads(results.text)
def inspect_image(self, iid):
'''Inspects a container and returns the results in json'''
url = urlparse.urljoin(self.host, self.api_path + "/inspect_image")
results = self._get_results(url, json.dumps({'iid': iid}))
return json.loads(results.text)
def getxml(self, url):
'''
Given a URL string, returns the results of an openscap XML file as
an Element Tree
'''
try:
results = self.get(url)
except requests.exceptions.ConnectionError:
raise ImageScannerClientError("Unable to connect to REST server "
"at {0}".format(url))
return ET.ElementTree(ET.fromstring(results.content))
def get_docker_json(self, url):
'''
Given a URL, return the state of the docker containers and images
when the images-scanning occurred. Returns as JSON object.
'''
try:
results = self.get(url)
except requests.exceptions.ConnectionError:
raise ImageScannerClientError("Unable to connect to REST server "
"at {0}".format(url))
return json.loads(results.text)
def _get_results(self, url, data=None, headers=None):
'''Wrapper functoin for calling the request.session.get'''
headers = self.request_headers if headers is None else headers
try:
if data is not None:
results = self.get(url, data=data,
headers=headers)
else:
results = self.get(url, headers=headers, timeout=9)
except requests.exceptions.ConnectionError:
raise ImageScannerClientError("Unable to connect to REST server "
"at {0}".format(url))
except requests.exceptions.Timeout:
raise ImageScannerClientError("Timeout reached with REST server "
"at {0}".format(url))
return results
@staticmethod
def _check_result(result):
'''
Examines a json object looking for a key of 'Error'
which indicates the previous call did not work. Raises
an exception upon finding the key
'''
result_json = json.loads(result.text)
if 'Error' in result_json:
raise ImageScannerClientError(result_json['Error'])
if 'results' in result_json.keys() and 'Error' \
in result_json['results']:
raise ImageScannerClientError(result_json['results']['Error'])
def ping(self):
'''
Throws an exception if it cannot access the REST server or
the docker host
'''
url = urlparse.urljoin(self.host, self.api_path + "/ping")
results = self._get_results(url)
if 'results' not in json.loads(results.text):
tmp_obj = json.loads(results.text)
if hasattr(tmp_obj, 'error'):
error = getattr(tmp_obj, 'error')
else:
error = tmp_obj['Error']
error = error.replace('on the host ', 'on the host {0} '
.format(self.host))
raise ImageScannerClientError(error)
class ClientCommon(object):
''' Clients functions that are shared with other classes '''
config_file = "/etc/image-scanner/image-scanner-client.conf"
profile_tuple = collections.namedtuple('profiles', ['profile',
'host',
'port',
'cert',
'number'])
args_tuple = collections.namedtuple('scan_args',
['allimages', 'images',
'allcontainers', 'onlyactive'])
client_dir = "/var/tmp/image-scanner/client"
if not os.path.exists(client_dir):
os.makedirs(client_dir)
uber_file_path = os.path.join(client_dir, 'uber_docker.json')
def __init__(self):
self.uber_docker = {}
self.num_complete = 0
self.num_total = 0
self.last_completed = ""
self.threads = 0
@staticmethod
def debug_json(json_data):
''' Debug function that pretty prints json objects'''
print(json.dumps(json_data, indent=4, separators=(',', ': ')))
def get_profile_info(self, profile):
''' Looks for host and port based on the profile provided '''
config = ConfigParser.RawConfigParser()
config.read(self.config_file)
try:
port = config.get(profile, 'port')
host = config.get(profile, 'host')
cert = None if not config.has_option(profile, 'cert') else \
config.get(profile, 'cert')
number = 2 if not config.has_option(profile, 'threads') else \
config.get(profile, 'threads')
except ConfigParser.NoSectionError:
raise ImageScannerClientError("The profile {0} cannot be found "
"in {1}".format(profile,
self.config_file))
except ConfigParser.NoOptionError as no_option:
print("No option {0} found in profile "\
"{1} in {2}".format(no_option.option,
profile,
self.config_file))
return host, port, number, cert
def _make_profile_tuple(self, host, port, number, cert, section):
''' Creates the profile_tuple and returns it '''
return self.profile_tuple(profile=section, host=host, port=port,
cert=None, number=number)
def return_profiles(self, input_profile_list):
'''
Returns a list of tuples with information about the
input profiles
'''
profile_list = []
config = ConfigParser.ConfigParser()
config.read(self.config_file)
for profile in input_profile_list:
host, port, number, cert = self.get_profile_info(profile)
if self.threads > 0:
number = self.threads
profile_list.append(self._make_profile_tuple(host, port,
number, cert, profile))
return profile_list
def return_all_profiles(self):
''' Returns a list of tuples with host and port information '''
profile_list = []
config = ConfigParser.ConfigParser()
config.read(self.config_file)
for section in config.sections():
host, port, number, cert = self.get_profile_info(section)
profile_list.append(self._make_profile_tuple(host, port, number,
cert, section))
return profile_list
def get_all_profile_names(self):
''' Returns a list of all profile names '''
profile_names = []
all_profiles = self.return_all_profiles()
for profile in all_profiles:
profile_names.append(profile.profile)
return profile_names
def thread_profile_wrapper(self, args):
''' Simple wrapper for thread_profiles '''
return self.thread_profiles(*args)
def thread_profiles(self, profile, onlyactive, allcontainers,
allimages, images):
''' Kicks off a scan of for a remote host'''
scanner = Client(profile.host, profile.port, number=profile.number)
try:
if onlyactive:
results = scanner.scan_all_containers(onlyactive=True)
elif allcontainers:
results = scanner.scan_all_containers()
elif allimages:
results = scanner.scan_images(all=True)
else:
results = scanner.scan_images()
except ImageScannerClientError as scan_error:
results = json.dumps({'error': str(scan_error)})
host_state = results if 'error' in results else \
scanner.get_docker_json(results['json_url'])
self.uber_docker[profile.profile] = host_state
self.num_complete += 1
self.last_completed = " Completed {0}".format(profile.profile)
def scan_multiple_hosts(self, profile_list, allimages=False, images=False,
allcontainers=False, onlyactive=False,
remote_threads=4, threads=0):
'''
Scan multiple hosts and returns an uber-docker object
which is basically an object with one or more docker
state objects in it.
'''
if (threads > 0):
self.threads = threads
if (threads < 2 or threads > 4):
raise ImageScannerClientError("Thread count must be between 2 "
"and 4")
scan_args = self.args_tuple(allimages=allimages, images=images,
allcontainers=allcontainers,
onlyactive=onlyactive)
# Check to make sure a scan type was selected
if not scan_args.allimages and not scan_args.images and not \
scan_args.allcontainers and not scan_args.onlyactive:
raise ImageScannerClientError("You must select \
a scan type")
# Check to make sure only one scan type was selected
if len([x for x in [scan_args.allimages, scan_args.images,
scan_args.allcontainers, scan_args.onlyactive]
if x is True]) > 1:
raise ImageScannerClientError("You may only select one \
type of scan")
# Check profile names are valid
all_profile_names = self.get_all_profile_names()
self._check_profile_is_valid(all_profile_names, profile_list)
# Obtain list of profiles
profiles = self.return_profiles(profile_list)
self.num_total = len(profiles)
# FIXME
# Make this a variable based on desired number
pool = ThreadPool(remote_threads)
pool.map(self.thread_profile_wrapper,
[(x, scan_args.onlyactive, scan_args.allcontainers,
scan_args.allimages, scan_args.images) for x in profiles])
with open(self.uber_file_path, 'w') as state_file:
json.dump(self.uber_docker, state_file)
return self.uber_docker
@staticmethod
def _check_profile_is_valid(all_profile_names, profile_list):
''' Checks a list of profiles to make sure they are valid '''
for profile in profile_list:
if profile not in all_profile_names:
raise ImageScannerClientError("Profile {0} is invalid"
.format(profile))
def load_uber(self):
''' Loads the uber json file'''
uber_obj = json.loads(open(self.uber_file_path).read())
return uber_obj
@staticmethod
def _sum_cves(scan_results_obj):
''' Returns the total number of CVEs found'''
num_cves = 0
sev_list = ['Critical', 'Important', 'Moderate', 'Low']
for sev in sev_list:
if sev in scan_results_obj.keys():
num_cves += scan_results_obj[sev]['num']
return num_cves
def mult_host_mini_pprint(self, uber_obj):
''' Pretty print the results of a multi host scan'''
print("\n")
print("{0:16} {1:15} {2:12}".format("Host", "Docker ID", "Results"))
print("-" * 50)
prev_host = None
for host in uber_obj.keys():
if 'error' in uber_obj[host]:
print("{0:16} {1:15} {2:12}"\
.format(host, "", json.loads(uber_obj[host])['error']))
print("")
continue
for scan_obj in uber_obj[host]['scanned_content']:
tmp_obj = uber_obj[host]['host_results'][scan_obj]
is_rhel = tmp_obj['isRHEL']
if is_rhel:
if len(tmp_obj['cve_summary']['scan_results'].keys()) < 1:
result = "Clean"
else:
num_cves = self._sum_cves(tmp_obj['cve_summary']
['scan_results'])
result = "Has {0} CVEs".format(num_cves)
else:
result = "Not based on RHEL"
if host is not prev_host:
out_host = host
prev_host = host
else:
out_host = ""
print("{0:16} {1:15} {2:12}".format(out_host, scan_obj[:12],
result))
print("")
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/reporter.py���������������������������������������0000644�0001751�0000033�00000006403�13163222324�023111� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
'''Reporter Class'''
import collections
import os
class Reporter(object):
''' Does stdout reporting '''
def __init__(self, appc):
self.output = collections.namedtuple('Summary', 'iid, cid, os, sevs,'
'log, msg',)
self.list_of_outputs = []
self.ac = appc
self.report_dir = os.path.join(self.ac.reportdir, "reports")
self.ac.docker_state = os.path.join(self.report_dir,
"docker_state.json")
if not os.path.exists(self.report_dir):
os.mkdir(self.report_dir)
self.content = ""
def report_summary(self):
'''
This function is the primary function to output results
to stdout when running the image-scanner
'''
for image in self.list_of_outputs:
short_cid_list = []
image_json = {image.iid: {}}
image_json[image.iid]['xml_path'] = os.path.join(
self.report_dir, image.iid + ".xml")
if image.msg is None:
for cid in image.cid:
short_cid_list.append(cid[:12])
image_json[image.iid]['cids'] = short_cid_list
image_json[image.iid]['critical'] = image.sevs['Critical']
image_json[image.iid]['important'] = \
image.sevs['Important']
image_json[image.iid]['moderate'] = image.sevs['Moderate']
image_json[image.iid]['low'] = image.sevs['Low']
image_json[image.iid]['os'] = image.os
else:
image_json[image.iid]['msg'] = image.msg
self.ac.return_json[image.iid] = image_json[image.iid]
report_files = []
for image in self.list_of_outputs:
if image.msg is None:
short_image = image.iid[:12] + ".scap"
out = open(os.path.join(self.report_dir, short_image), 'w')
report_files.append(short_image)
out.write(image.log)
out.close()
for report in report_files:
os.path.join(self.report_dir, report)
def _get_dtype(self, iid):
''' Returns whether the given id is an image or container '''
# Images
for image in self.ac.allimages:
if image['Id'].startswith(iid):
return "Image"
# Containers
for con in self.ac.cons:
if con['Id'].startswith(iid):
return "Container"
return None
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/applicationconfiguration.py�����������������������0000644�0001751�0000033�00000004426�13163222324�026345� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
# TODO: Integrate this to openscap_daemon.config package
from openscap_daemon.cve_scanner.scanner_error import ImageScannerClientError
class ApplicationConfiguration(object):
'''Application Configuration'''
def __init__(self, parserargs=None):
''' Init for Application Configuration '''
self.workdir = parserargs.workdir
self.logfile = parserargs.logfile
self.number = parserargs.number
self.reportdir = parserargs.reportdir
self.fetch_cve = parserargs.fetch_cve
self.fcons = None
self.cons = None
self.images = None
self.allimages = None
self.return_json = None
self.conn = self.ValidateHost(parserargs.host)
self.parserargs = parserargs
self.json_url = None
# "" means we will use oscap-docker defaults, else a string with URL
# is expected. example: "https://www.redhat.com/security/data/oval/"
self.fetch_cve_url = parserargs.fetch_cve_url
def ValidateHost(self, host):
''' Validates if the defined docker host is running'''
try:
import docker
except ImportError:
error = "Can't import 'docker' package. Has docker been installed?"
raise ImageScannerClientError(error)
client = docker.Client(base_url=host, timeout=11)
if not client.ping():
error = "Cannot connect to the Docker daemon. Is it running " \
"on this host?"
raise ImageScannerClientError(error)
return client
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/cve_scanner.py������������������������������������0000644�0001751�0000033�00000047205�13163222324�023542� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
from openscap_daemon.cve_scanner.applicationconfiguration \
import ApplicationConfiguration
from openscap_daemon.cve_scanner.reporter import Reporter
from openscap_daemon.cve_scanner.scan import Scan
from openscap_daemon.cve_scanner.generate_summary import Create_Summary
from openscap_daemon.cve_scanner.scanner_error import ImageScannerClientError
import dbus
import os
import tempfile
import timeit
import threading
import logging
import sys
import time
import signal
import subprocess
from datetime import datetime
import json
import platform
import collections
import re
class ContainerSearch(object):
''' Does a series of docker queries to setup variables '''
def __init__(self, appc):
self.dead_cids = []
self.ac = appc
self.cons = self.ac.conn.containers(all=True)
self.active_containers = self.ac.conn.containers(all=False)
self.allimages = self.ac.conn.images(name=None, quiet=False,
all=True, viz=False)
self.images = self.ac.conn.images(name=None, quiet=False,
all=False, viz=False)
self.allimagelist = self._returnImageList(self.allimages)
self.imagelist = self._returnImageList(self.images)
self.fcons = self._formatCons(self.cons)
self.fcons_active = self._formatCons(self.active_containers)
self.ac.fcons = self.fcons
self.ac.cons = self.cons
self.ac.allimages = self.allimages
self.ac.return_json = {}
def _returnImageList(self, images):
'''
Walks through the image list and if the image
size is not 0, it will add it to the returned
list.
'''
il = []
for i in images:
if i['VirtualSize'] > 0:
il.append(i['Id'])
return il
def _formatCons(self, cons):
'''
Returns a formatted dictionary of containers by
image id like:
fcons = {'iid': [{'cid': {'running': bool}}, ... ]}
'''
fcons = {}
for c in cons:
cid = c['Id']
inspect = self.ac.conn.inspect_container(cid)
iid = inspect['Image']
run = inspect['State']['Running']
if 'Dead' in inspect['State']:
dead = inspect['State']['Dead']
else:
dead = False
if dead:
self.dead_cids.append(cid)
if iid not in fcons:
fcons[iid] = [{'uuid': cid, 'running': run, 'Dead': dead}]
else:
fcons[iid].append({'uuid': cid, 'running': run, 'Dead': dead})
return fcons
class Worker(object):
min_procs = 2
max_procs = 4
image_tmp = "/var/tmp/image-scanner"
scan_args = ['allcontainers', 'allimages', 'images', 'logfile',
'fetch_cve', 'number', 'onlyactive', 'reportdir',
'workdir', 'url_root', 'host', 'rest_host',
'rest_port', 'scan', 'fetch_cve_url']
scan_tuple = collections.namedtuple('Namespace', scan_args)
def __init__(self, number=2,
logfile=os.path.join(image_tmp, "openscap.log"),
fetch_cve=False, reportdir=image_tmp, workdir=image_tmp,
host='unix://var/run/docker.sock',
allcontainers=False, onlyactive=False, allimages=False,
images=False, scan=[], fetch_cve_url=""):
self.args =\
self.scan_tuple(number=number, logfile=logfile,
fetch_cve=fetch_cve, reportdir=reportdir,
workdir=workdir, host=host,
allcontainers=allcontainers, allimages=allimages,
onlyactive=onlyactive, images=images, url_root='',
rest_host='', rest_port='', scan=scan,
fetch_cve_url=fetch_cve_url)
self.ac = ApplicationConfiguration(parserargs=self.args)
self.procs = self.set_procs(self.args.number)
if not os.path.exists(self.ac.workdir):
os.makedirs(self.ac.workdir)
self.cs = ContainerSearch(self.ac)
self.output = Reporter(self.ac)
self.scan_list = None
self.failed_scan = None
self.rpms = {}
# full image name can look like sha256:abcdxy:efgfz
self.name_regex = re.compile(r"((?:sha256:)?[^:]+)(?::([^:]+))?")
def set_procs(self, number):
if number is None:
try:
import multiprocessing
numThreads = multiprocessing.cpu_count()
except NotImplementedError:
numThreads = 4
else:
numThreads = number
if numThreads < self.min_procs:
if self.ac.number is not None:
print("The image-scanner requires --number to be a minimum " \
"of {0}. Setting --number to {1}".format(self.min_procs,
self.min_procs))
return self.min_procs
elif numThreads <= self.max_procs:
return numThreads
else:
if self.ac.number is not None:
print("Due to docker issues, we limit the max number "\
"of threads to {0}. Setting --number to "\
"{1}".format(self.max_procs, self.max_procs))
return self.max_procs
def _get_cids_for_image(self, cs, image):
cids = []
if image in cs.fcons:
for container in cs.fcons[image]:
cids.append(container['uuid'])
else:
for iid in cs.fcons:
cids = [con['uuid'] for con in cs.fcons[iid]]
if image in cids:
return cids
return cids
def return_active_threadnames(self, threads):
thread_names = []
for thread in threads:
thread_name = thread._Thread__name
if thread_name is not "MainThread":
thread_names.append(thread_name)
return thread_names
def onlyactive(self):
''' This function sorts of out only the active containers'''
con_list = []
# Rid ourselves of 0 size containers
for container in self.cs.active_containers:
con_list.append(container['Id'])
if len(con_list) == 0:
error = "There are no active containers on this system"
raise ImageScannerClientError(error)
else:
try:
self._do_work(con_list)
except Exception as error:
raise ImageScannerClientError(str(error))
def allimages(self):
if len(self.cs.imagelist) == 0:
error = "There are no images on this system"
raise ImageScannerClientError(error)
if self.args.allimages:
try:
self._do_work(self.cs.allimagelist)
except Exception as error:
raise ImageScannerClientError(str(error))
else:
try:
self._do_work(self.cs.imagelist)
except Exception as error:
raise ImageScannerClientError(str(error))
def list_of_images(self, image_list):
try:
self._do_work(image_list)
except Exception as error:
raise ImageScannerClientError(str(error))
def allcontainers(self):
if len(self.cs.cons) == 0:
error = "There are no containers on this system"
raise ImageScannerClientError(error)
else:
con_list = []
for con in self.cs.cons:
con_list.append(con['Id'])
try:
self._do_work(con_list)
except Exception as error:
raise ImageScannerClientError(str(error))
def _do_work(self, image_list):
from oscap_docker_python.get_cve_input import getInputCVE
self.scan_list = image_list
cve_get = getInputCVE(self.image_tmp)
if self.ac.fetch_cve_url != "":
cve_get.url = self.ac.fetch_cve_url
if self.ac.fetch_cve:
cve_get.fetch_dist_data()
threads = []
mnt_dir = tempfile.mkdtemp()
for image in image_list:
if image in self.cs.dead_cids:
raise ImageScannerClientError("Scan not completed. Cannot "
"scan the dead "
"container {0}".format(image))
cids = self._get_cids_for_image(self.cs, image)
t = threading.Thread(target=self.search_containers, name=image,
args=(image, cids, self.output, mnt_dir,))
threads.append(t)
logging.info("Number of containers to scan: {0}".format(len(threads)))
if isinstance(threading.current_thread(), threading._MainThread):
signal.signal(signal.SIGINT, self.signal_handler)
self.threads_complete = 0
self.cur_scan_threads = 0
while len(threads) > 0:
if self.cur_scan_threads < self.procs:
new_thread = threads.pop()
new_thread.start()
self.cur_scan_threads += 1
while self.cur_scan_threads > 0:
time.sleep(1)
pass
os.rmdir(mnt_dir)
if self.failed_scan is not None:
raise ImageScannerClientError(self.failed_scan)
self.output.report_summary()
def signal_handler(self, signal, frame):
print("\n\nExiting...")
sys.exit(0)
def search_containers(self, image, cids, output, mnt_dir):
try:
f = Scan(image, cids, output, self.ac, mnt_dir)
except Exception as e:
# We don't know all types of docker/atomic exception, so we catch
# all these exceptions to avoid daemon freezing
self.failed_scan = str(e)
self.threads_complete += 1
self.cur_scan_threads -= 1
return
try:
if f.get_release():
t = timeit.Timer(f.scan).timeit(number=1)
logging.debug("Scanned chroot for image {0}"
" completed in {1} seconds"
.format(image, t))
try:
timeit.Timer(f.report_results).timeit(number=1)
image_rpms = f._get_rpms()
self.rpms[image] = image_rpms
except Exception as error:
self.failed_scan = str(error)
else:
# This is not a RHEL image or container
f._report_not_rhel(image)
except subprocess.CalledProcessError:
pass
# umount and clean up temporary container
try:
f.unmount()
except ValueError as e:
logging.error("Unmount error: {}".format(e.msg))
except Exception as e:
# We don't know all types of docker/atomic exception, so we catch
# all these exceptions to avoid daemon freezing
logging.error("Docker: {}".format(e.msg()))
self.threads_complete += 1
self.cur_scan_threads -= 1
def _check_input(self, image_list):
'''
Takes a list of image ids, image-names, container ids, or
container-names and returns a list of images ids and
container ids
'''
work_list = []
# verify
try:
for image in image_list:
iid = self.get_iid(image)
work_list.append(iid)
except ImageScannerClientError:
error = "Unable to associate {0} with any image " \
"or container".format(image)
raise ImageScannerClientError(error)
return work_list
def get_cid(self, input_name):
"""
Given a container name or container id, it will return the
container id
"""
for container in self.ac.cons:
if 'Names' in container and container['Names'] is not None:
if (container['Id'].startswith(input_name)) or \
(('Names' in container) and
(any(input_name in item for item in
container['Names']))):
return container['Id']
break
return None
def parse_image_name(self, input_name):
"""
Parse image name and return its parts as tuple
:param input_name:
:return: (name, tag)
"""
m = self.name_regex.match(input_name)
if m:
return (m.group(1), m.group(2))
else:
return (input_name, None)
def _namesearch(self, input_name):
"""
Looks to see if the input name is the name of a image
"""
image_name, tag = self.parse_image_name(input_name)
name_search = self.ac.conn.images(name=image_name, all=True)
# We found only one result, return it
if len(name_search) == 1:
return name_search[0]['Id']
else:
# We found multiple images with the input name
# If a tag is passed, then we can return the right one
# If not, we assume if all the image_ids are same, we
# can use that.
ilist = []
for image in name_search:
if input_name in image['RepoTags']:
return image['Id']
else:
ilist.append(image['Id'])
if tag is not None:
raise ImageScannerClientError("Unable to find"
"to an image named {0}"
.format(input_name))
# We didn't find it by name only. We check if the image_ids
# are all the same
if len(ilist) > 1:
if all(ilist[0] == image for image in ilist) and (tag is None):
return ilist[0]
else:
raise \
ImageScannerClientError("Found multiple images named"
"{0} with different image Ids."
"Try again with the image"
"name and tag"
.format(input_name))
return None
def get_iid(self, input_name):
'''
Find the image id based on a input_name which can be
an image id, image name, or an image name:tag name.
'''
# Check if the input name is a container
cid = self.get_cid(input_name)
if cid is not None:
return cid
# Check if the input_name was an image name or name:tag
image_id = self._namesearch(input_name)
if image_id is not None:
return image_id
# Maybe input name is an image id (or portion)
for image in self.ac.allimages:
if image['Id'].startswith(input_name):
return image['Id']
raise ImageScannerClientError("Unable to associate {0} with any image"
.format(input_name))
def start_application(self):
if not self.args.onlyactive and not self.args.allcontainers and \
not self.allimages and not self.args.images and \
not self.args.scan:
return {'Error': 'No scan type was selected'}
start_time = time.time()
logging.basicConfig(filename=self.ac.logfile,
format='%(asctime)s %(levelname)-8s %(message)s',
datefmt='%m-%d %H:%M', level=logging.DEBUG)
if self.args.onlyactive:
self.onlyactive()
elif self.args.allcontainers:
self.allcontainers()
elif self.args.allimages or self.args.images:
self.allimages()
else:
# Check to make sure we have valid input
image_list = self._check_input(self.args.scan)
try:
self.list_of_images(image_list)
except ImageScannerClientError as error:
raise dbus.exceptions.DBusException(str(error))
end_time = time.time()
duration = (end_time - start_time)
if duration < 60:
unit = "seconds"
else:
unit = "minutes"
duration = duration / 60
logging.info("Completed entire scan in {0} {1}".format(duration, unit))
docker_state = self.dump_json_log()
return docker_state
def _get_rpms_by_obj(self, docker_obj):
return self.rpms[docker_obj]
def dump_json_log(self):
'''
Creates a log of information about the scan and what was
scanned for post-scan analysis
'''
xmlp = Create_Summary()
# Common Information
json_log = {}
json_log['hostname'] = platform.node()
json_log['scan_time'] = datetime.today().isoformat(' ')
json_log['scanned_content'] = self.scan_list
json_log['host_results'] = {}
json_log['docker_state'] = self.ac.fcons
json_log['host_images'] = [image['Id'] for image in self.ac.allimages]
json_log['host_containers'] = [con['Id'] for con in self.ac.cons]
json_log['docker_state_url'] = self.ac.json_url
tuple_keys = ['rest_host', 'rest_port', 'allcontainers',
'allimages', 'images', 'logfile', 'number',
'reportdir', 'workdir', 'url_root',
'host', 'fetch_cve_url']
for tuple_key in tuple_keys:
tuple_val = None if not hasattr(self.ac.parserargs, tuple_key) \
else getattr(self.ac.parserargs, tuple_key)
json_log[tuple_key] = tuple_val
# Per scanned obj information
for docker_obj in self.scan_list:
json_log['host_results'][docker_obj] = {}
tmp_obj = json_log['host_results'][docker_obj]
if 'msg' in self.ac.return_json[docker_obj].keys():
tmp_obj['isRHEL'] = False
else:
tmp_obj['rpms'] = self._get_rpms_by_obj(docker_obj)
tmp_obj['isRHEL'] = True
xml_path = self.ac.return_json[docker_obj]['xml_path']
tmp_obj['cve_summary'] = \
xmlp._summarize_docker_object(xml_path,
json_log, docker_obj)
# Pulling out good stuff from summary by docker object
for docker_obj in self.ac.return_json.keys():
if 'msg' not in self.ac.return_json[docker_obj].keys():
for key, value in self.ac.return_json[docker_obj].items():
json_log['host_results'][docker_obj][key] = value
json_log['results_summary'] = self.ac.return_json
# DEBUG
# print(json.dumps(json_log, indent=4, separators=(',', ': ')))
with open(self.ac.docker_state, 'w') as state_file:
json.dump(json_log, state_file)
return json_log
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/scanner_client.py���������������������������������0000644�0001751�0000033�00000012014�13163222324�024231� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
from openscap_daemon import dbus_utils
from openscap_daemon.cve_scanner.scanner_error import ImageScannerClientError
import os
import dbus
import dbus.mainloop.glib
import json
import collections
import docker
# TODO: external dep!
from slip.dbus import polkit
class Client(object):
''' The image-scanner client API '''
image_tmp = "/var/tmp/image-scanner"
db_timeout = 99999
tup_names = ['number', 'workdir', 'logfile', 'onlycache',
'reportdir']
tup = collections.namedtuple('args', tup_names)
def __init__(self, number=2,
logfile=os.path.join(image_tmp, "openscap.log"),
onlycache=False,
reportdir=image_tmp, workdir=image_tmp):
self.arg_tup = self.tup(number=number, logfile=logfile,
onlycache=onlycache, reportdir=reportdir,
workdir=workdir)
self.arg_dict = {'number': number, 'logfile': logfile,
'onlycache': onlycache, 'reportdir': reportdir,
'workdir': workdir}
self._docker_ping()
self.num_threads = number
self.bus = dbus.SessionBus()
self.dbus_object = self.bus.get_object(dbus_utils.BUS_NAME,
dbus_utils.OBJECT_PATH)
self.logfile = logfile
self.onlycache = onlycache
self.reportdir = reportdir
self.workdir = workdir
self.onlyactive = False
self.allcontainers = False
self.allimages = False
self.images = False
@staticmethod
def _docker_ping():
d_conn = docker.Client()
try:
d_conn.ping()
except Exception:
raise ImageScannerClientError("The docker daemon does not appear"
"to be running")
@polkit.enable_proxy
def inspect_container(self, cid):
ret = self.dbus_object.inspect_container(
cid,
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
@polkit.enable_proxy
def get_images_info(self):
ret = self.dbus_object.images(
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
@polkit.enable_proxy
def get_containers_info(self):
ret = self.dbus_object.containers(
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
@polkit.enable_proxy
def inspect_image(self, iid):
ret = self.dbus_object.inspect_image(
iid,
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
def debug_json(self, json_data):
''' Debug function that pretty prints json objects'''
print(json.dumps(json_data, indent=4, separators=(',', ': ')))
@polkit.enable_proxy
def scan_containers(self, only_active=False):
if only_active:
self.onlyactive = True
else:
self.allcontainers = True
ret = self.dbus_object.scan_containers(
self.onlyactive,
self.allcontainers,
self.num_threads,
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
@polkit.enable_proxy
def scan_images(self, all_images=False):
if all_images:
self.allimages = True
else:
self.images = True
ret = self.dbus_object.scan_images(
self.allimages, self.images,
self.num_threads,
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
@polkit.enable_proxy
def scan_list(self, scan_list):
if not isinstance(scan_list, list):
raise ImageScannerClientError("Input to scan_list must be in"
"the form of a list")
ret = self.dbus_object.scan_list(
scan_list, self.num_threads,
dbus_interface=dbus_utils.DBUS_INTERFACE,
timeout=self.db_timeout
)
return json.loads(ret)
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/__init__.py���������������������������������������0000644�0001751�0000033�00000001377�13163222324�023013� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#__all__ = []
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/scan.py�������������������������������������������0000644�0001751�0000033�00000024612�13163222324�022175� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
import os
import collections
import time
import logging
import subprocess
import xml.etree.ElementTree as ET
import platform
import sys
import bz2
from threading import Lock
if sys.version_info < (3,):
from StringIO import StringIO
else:
from io import StringIO
class Scan(object):
# Fix race-condition in atomic mount/unmount
# We don't want to do mount and unmount simultaneously
_mount_lock = Lock()
def __init__(self, image_uuid, con_uuids, output, appc, mnt_dir="/tmp"):
self.mnt_dir = mnt_dir
self.image_name = image_uuid
self.ac = appc
self.CVEs = collections.namedtuple('CVEs', 'title, severity,'
'cve_ref_id, cve_ref_url,'
'rhsa_ref_id, rhsa_ref_url')
self.list_of_CVEs = []
self.con_uuids = con_uuids
self.output = output
self.report_dir = os.path.join(self.ac.workdir, "reports")
if not os.path.exists(self.report_dir):
os.mkdir(self.report_dir)
start = time.time()
from Atomic.mount import DockerMount
self.DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
with Scan._mount_lock:
self.dm_results = self.DM.mount(image_uuid)
logging.debug("Created scanning chroot in {0}"
" seconds".format(time.time() - start))
self.dest = self.dm_results
def get_release(self):
etc_release_path = os.path.join(self.dest, "rootfs",
"etc/redhat-release")
if not os.path.exists(etc_release_path):
logging.info("{0} is not RHEL based".format(self.image_name))
return False
self.os_release = open(etc_release_path).read()
rhel = 'Red Hat Enterprise Linux'
if rhel in self.os_release:
logging.debug("{0} is {1}".format(self.image_name,
self.os_release.rstrip()))
return True
else:
logging.info("{0} is {1}".format(self.image_name,
self.os_release.rstrip()))
return False
def scan(self):
logging.debug("Scanning chroot {0}".format(self.image_name))
hostname = open("/etc/hostname").read().rstrip()
os.environ["OSCAP_PROBE_ARCHITECTURE"] = platform.processor()
os.environ["OSCAP_PROBE_ROOT"] = os.path.join(self.dest, "rootfs")
os.environ["OSCAP_PROBE_OS_NAME"] = platform.system()
os.environ["OSCAP_PROBE_OS_VERSION"] = platform.release()
os.environ["OSCAP_PROBE_"
"PRIMARY_HOST_NAME"] = "{0}:{1}".format(hostname,
self.image_name)
from oscap_docker_python.get_cve_input import getInputCVE
# We only support RHEL 6|7 in containers right now
osc = getInputCVE("/tmp")
if "Red Hat Enterprise Linux" in self.os_release:
if "7." in self.os_release:
self.chroot_cve_file = os.path.join(
self.ac.workdir, osc.dist_cve_name.format("7"))
if "6." in self.os_release:
self.chroot_cve_file = os.path.join(
self.ac.workdir, osc.dist_cve_name.format("6"))
cmd = ['oscap', 'oval', 'eval', '--report',
os.path.join(self.report_dir,
self.image_name + '.html'),
'--results',
os.path.join(self.report_dir,
self.image_name + '.xml'), self.chroot_cve_file]
logging.debug(
"Starting evaluation with command '%s'.",
" ".join(cmd))
try:
self.result = subprocess.check_output(cmd).decode("utf-8")
except Exception:
pass
# def capture_run(self, cmd):
# '''
# Subprocess command that captures and returns the output and
# return code.
# '''
# r = subprocess.Popen(cmd, stdout=subprocess.PIPE,
# stderr=subprocess.PIPE)
# return r.communicate(), r.returncode
def get_cons(self, fcons, short_iid):
cons = []
for image in fcons:
if image.startswith(short_iid):
for con in fcons[image]:
cons.append(con['uuid'][:12])
return cons
def report_results(self):
if not os.path.exists(self.chroot_cve_file):
from openscap_daemon.cve_scanner.scanner_error import ImageScannerClientError
raise ImageScannerClientError("Unable to find {0}"
.format(self.chroot_cve_file))
return False
cve_tree = ET.parse(bz2.BZ2File(self.chroot_cve_file))
self.cve_root = cve_tree.getroot()
for line in self.result.splitlines():
split_line = line.split(':')
# Not in love with how I did this
# Should find a better marked to know if it is a line
# a parsable line.
if (len(split_line) == 5) and ('true' in split_line[4]):
self._return_xml_values(line.split()[1][:-1])
sev_dict = {}
sum_log = StringIO()
sum_log.write("Image: {0} ({1})".format(self.image_name,
self.os_release))
cons = self.get_cons(self.ac.fcons, self.image_name)
sum_log.write("\nContainers based on this image ({0}): {1}\n"
.format(len(cons), ", ".join(cons)))
for sev in ['Critical', 'Important', 'Moderate', 'Low']:
sev_counter = 0
for cve in self.list_of_CVEs:
if cve.severity == sev:
sev_counter += 1
sum_log.write("\n")
fields = list(self.CVEs._fields)
fields.remove('title')
sum_log.write("{0}{1}: {2}\n"
.format(" " * 5, "Title",
getattr(cve, "title")))
for field in fields:
sum_log.write("{0}{1}: {2}\n"
.format(" " * 10, field.title(),
getattr(cve, field)))
sev_dict[sev] = sev_counter
self.output.list_of_outputs.append(
self.output.output(iid=self.image_name, cid=self.con_uuids,
os=self.os_release, sevs=sev_dict,
log=sum_log.getvalue(), msg=None))
sum_log.close()
def _report_not_rhel(self, image):
msg = "{0} is not based on RHEL".format(image[:8])
self.output.list_of_outputs.append(
self.output.output(iid=image, cid=None,
os=None, sevs=None,
log=None, msg=msg))
def _return_xml_values(self, cve):
cve_string = ("{http://oval.mitre.org/XMLSchema/oval-definitions-5}"
"definitions/*[@id='%s']" % cve)
cve_xml = self.cve_root.find(cve_string)
title = cve_xml.find("{http://oval.mitre.org/XMLSchema/oval-"
"definitions-5}metadata/"
"{http://oval.mitre.org/XMLSchema/"
"oval-definitions-5}title")
cve_id = cve_xml.find("{http://oval.mitre.org/XMLSchema/"
"oval-definitions-5}metadata/{http://oval.mitre."
"org/XMLSchema/oval-definitions-5}reference"
"[@source='CVE']")
sev = (cve_xml.find("{http://oval.mitre.org/XMLSchema/oval-definitions"
"-5}metadata/{http://oval.mitre.org/XMLSchema/oval"
"-definitions-5}advisory/")).text
if cve_id is not None:
cve_ref_id = cve_id.attrib['ref_id']
cve_ref_url = cve_id.attrib['ref_url']
else:
cve_ref_id = None
cve_ref_url = None
rhsa_id = cve_xml.find("{http://oval.mitre.org/XMLSchema/oval-"
"definitions-5}metadata/{http://oval.mitre.org"
"/XMLSchema/oval-definitions-5}reference"
"[@source='RHSA']")
if rhsa_id is not None:
rhsa_ref_id = rhsa_id.attrib['ref_id']
rhsa_ref_url = rhsa_id.attrib['ref_url']
else:
rhsa_ref_id = None
rhsa_ref_url = None
self.list_of_CVEs.append(
self.CVEs(title=title.text, cve_ref_id=cve_ref_id,
cve_ref_url=cve_ref_url, rhsa_ref_id=rhsa_ref_id,
rhsa_ref_url=rhsa_ref_url, severity=sev))
def _get_rpms(self):
# TODO: External dep!
import rpm
chroot_os = os.path.join(self.dest, "rootfs")
ts = rpm.TransactionSet(chroot_os)
ts.setVSFlags((rpm._RPMVSF_NOSIGNATURES | rpm._RPMVSF_NODIGESTS))
image_rpms = []
for hdr in ts.dbMatch(): # No sorting
if hdr['name'] == 'gpg-pubkey':
continue
else:
foo = "{0}-{1}-{2}-{3}-{4}".format(hdr['name'],
hdr['epochnum'],
hdr['version'],
hdr['release'],
hdr['arch'])
image_rpms.append(foo)
return image_rpms
def unmount(self):
with Scan._mount_lock:
self.DM.unmount_path(self.dest)
self.DM._clean_temp_container_by_path(self.dest)
os.rmdir(self.dest)
����������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_scanner/scanner_error.py����������������������������������0000644�0001751�0000033�00000001621�13163222324�024106� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2015 Brent Baude
# Copyright (C) 2015 Red Hat Inc., Durham, North Carolina.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
import dbus
class ImageScannerClientError(dbus.DBusException):
"""ImageScanner error"""
dbus_error_name = 'org.atomic.Exception'
���������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/cve_feed_manager.py�������������������������������������������0000644�0001751�0000033�00000017652�13163222324�022223� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2016 Red Hat Inc., Durham, North Carolina.
# Copyright (C) 2015 Brent Baude
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
try:
# Python2 imports
import urlparse
import urllib2 as urllib
except ImportError:
# Python3 imports
import urllib.parse as urlparse
import urllib.request as urllib
import os
import os.path
import time
import datetime
import logging
import bz2
import threading
class CVEFeedManager(object):
"""Class to obtain the CVE data provided by RH and possibly other vendors.
The CVE data is used to scan for CVEs using OpenSCAP
"""
default_url = "https://www.redhat.com/security/data/oval/"
class HeadRequest(urllib.Request):
def get_method(self):
return "HEAD"
def __init__(self, dest="/tmp"):
self.dest = dest
self.hdr = {"User-agent": "Mozilla/5.0"}
self.hdr2 = [("User-agent", "Mozilla/5.0")]
self.url = CVEFeedManager.default_url
self.remote_dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml.bz2"
self.local_dist_cve_name = "com.redhat.rhsa-RHEL{0}.xml"
self.dists = [5, 6, 7]
self.remote_pattern = '%a, %d %b %Y %H:%M:%S %Z'
self.fetch_enabled = True
# check for fresh CVE feeds at most every 10 minutes
self.fetch_timeout = 10 * 60
# A map of remote URIs to the time we last checked them for fresh
# content.
self.fetch_last_checked = {}
# Let us only check for fresh CVEs once at a time
self.fetch_lock = threading.Lock()
def _parse_http_headers(self, http_headers):
"""Returns dictionary containing HTTP headers with lowercase keys
"""
headers_dict = dict(http_headers)
return dict((key.lower(), value) for key, value in headers_dict.items())
def _print_no_last_modified_warning(self, url):
logging.warning(
"Warning: Response header of HTTP doesn't contain "
"\"last-modified\" field. Cannot determine version"
" of remote file \"{0}\"".format(url)
)
def _is_cache_same(self, local_file, remote_url):
"""Checks if the local cache version and the upstream
version is the same or not. If they are the same,
returns True; else False.
"""
with self.fetch_lock:
if not os.path.exists(local_file):
logging.debug(
"No local file cached, will fetch {0}".format(remote_url)
)
return False
last_checked = self.fetch_last_checked.get(remote_url, 0)
now = time.time()
if now - last_checked <= self.fetch_timeout:
logging.debug(
"Checked for fresh version of '%s' just %f seconds ago. "
"Will wait %f seconds before checking again.",
remote_url, now - last_checked,
self.fetch_timeout - now + last_checked
)
return True
opener = urllib.build_opener()
# Add the header
opener.addheaders = self.hdr2
# Grab the header
try:
res = opener.open(CVEFeedManager.HeadRequest(remote_url))
headers = self._parse_http_headers(res.info())
res.close()
remote_ts = headers['last-modified']
except urllib.HTTPError as http_error:
logging.debug(
"Cannot send HTTP HEAD request to get \"last-modified\" "
"attribute of remote content file.\n{0} - {1}"
.format(http_error.code, http_error.reason)
)
return False
except KeyError:
self._print_no_last_modified_warning(remote_url)
return False
self.fetch_last_checked[remote_url] = time.time()
# The remote's datetime
remote_dt = datetime.datetime.strptime(
remote_ts, self.remote_pattern
)
# Get the locals datetime from the file's mtime, converted to UTC
local_dt = datetime.datetime.utcfromtimestamp(
os.stat(local_file).st_mtime
)
# Giving a two second comfort zone
# Else we declare they are different
if (remote_dt - local_dt).seconds > 2:
logging.info("Had a local version of {0} "
"but it wasn't new enough".format(local_file))
return False
logging.debug("File {0} is same as upstream".format(local_file))
return True
def get_rhel_cve_feed(self, dist):
"""Given a distribution number (i.e. 7), it will fetch the
distribution specific data file if upstream has a newer
input file. Returns the path of file.
If we already have a cached version that is fresh it will just
return the path.
"""
local_file = os.path.join(
self.dest, self.local_dist_cve_name.format(dist)
)
if not self.fetch_enabled:
return local_file
remote_url = urlparse.urljoin(
self.url, self.remote_dist_cve_name.format(dist)
)
if self._is_cache_same(local_file, remote_url):
return local_file
_url = urllib.Request(remote_url, headers=self.hdr)
try:
resp = urllib.urlopen(_url)
except Exception as url_error:
raise Exception("Unable to fetch CVE inputs due to {0}"
.format(url_error))
fh = open(local_file, "wb")
fh.write(bz2.decompress(resp.read()))
fh.close()
# Correct Last-Modified timestamp
headers = self._parse_http_headers(resp.info())
resp.close()
try:
remote_ts = headers['last-modified']
epoch = datetime.datetime.utcfromtimestamp(0)
remote_dt = datetime.datetime.strptime(remote_ts, self.remote_pattern)
seconds_epoch = (remote_dt - epoch).total_seconds()
os.utime(local_file, (seconds_epoch, seconds_epoch))
except KeyError:
self._print_no_last_modified_warning(remote_url)
return local_file
def fetch_all_rhel_cve_feeds(self):
"""Fetches all the the distribution specific data used for
input with openscap cve scanning and returns a list
of those files.
"""
cve_files = []
for dist in self.dists:
cve_files.append(self.get_cve_feed(dist))
return cve_files
def get_cve_feed(self, cpe_ids):
if "cpe:/o:redhat:enterprise_linux:7" in cpe_ids:
return self.get_rhel_cve_feed(7)
elif "cpe:/o:redhat:enterprise_linux:6" in cpe_ids:
return self.get_rhel_cve_feed(6)
elif "cpe:/o:redhat:enterprise_linux:5" in cpe_ids:
return self.get_rhel_cve_feed(5)
raise RuntimeError(
"Can't find a supported CPE ID in %s" % (", ".join(cpe_ids))
)
def get_cve_feed_last_updated(self, cpe_ids):
local_file = self.get_cve_feed(cpe_ids)
assert(os.path.exists(local_file))
# local timestamp, local timezone datetime
return datetime.datetime.fromtimestamp(os.path.getmtime(local_file))
��������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/evaluation_spec.py��������������������������������������������0000644�0001751�0000033�00000051544�13163222324�022150� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon import et_helpers
from openscap_daemon import oscap_helpers
from xml.etree import cElementTree as ElementTree
import os.path
import tempfile
import shutil
import io
class SCAPInput(object):
"""Encapsulates all sorts of SCAP input, either embedded in the spec
itself or separate in a file installed via RPM or other means.
This does not include tailoring! That is handled separately,
see SCAPTailoring class.
"""
def __init__(self):
self.file_path = None
self.temp_file = None
self.datastream_id = None
self.xccdf_id = None
def is_valid(self):
return self.file_path is not None
def get_xml_source(self):
if self.file_path is None:
return None
with io.open(self.file_path, "r", encoding="utf-8") as f:
return f.read()
def is_equivalent_to(self, other):
return \
self.get_xml_source() == other.get_xml_source() and \
self.datastream_id == other.datastream_id and \
self.xccdf_id == other.xccdf_id
def set_file_path(self, file_path):
"""Sets given file_path to be the input file. If you use this method
no temporary files will be allocated, the file_path will be passed to
`oscap` as is, in its absolute form.
"""
self.temp_file = None
if file_path is not None:
self.file_path = \
os.path.abspath(file_path) if file_path is not None else None
else:
self.file_path = None
def set_contents(self, input_contents):
"""Sets given input_contents XML to be the input source. This method
allocates a temporary file that exists for the lifetime of this
instance.
"""
if input_contents is not None:
self.temp_file = tempfile.NamedTemporaryFile()
self.temp_file.write(input_contents.encode("utf-8"))
self.temp_file.flush()
self.file_path = os.path.abspath(self.temp_file.name)
else:
self.file_path = None
def load_from_xml_element(self, element):
input_file = element.get("href")
if input_file is not None:
self.set_file_path(input_file)
else:
input_file_contents = element.text
self.set_contents(input_file_contents)
self.datastream_id = element.get("datastream_id")
self.xccdf_id = element.get("xccdf_id")
def to_xml_element(self):
if self.file_path is None:
return None
ret = ElementTree.Element("input")
if self.temp_file is None:
ret.set("href", self.file_path)
else:
with io.open(self.temp_file.name, "r", encoding="utf-8") as f:
ret.text = f.read()
if self.datastream_id is not None:
ret.set("datastream_id", self.datastream_id)
if self.xccdf_id is not None:
ret.set("xccdf_id", self.xccdf_id)
return ret
class SCAPTailoring(object):
"""Encapsulates SCAP tailoring. At this point we only support separate files
as tailorings, not the input SCAP file. The tailoring has to be plain
XCCDF tailoring, no datastreams!
"""
def __init__(self):
self.file_path = None
self.temp_file = None
def get_xml_source(self):
if self.file_path is None:
return None
with io.open(self.file_path, "r", encoding="utf-8") as f:
return f.read()
def is_equivalent_to(self, other):
return \
self.get_xml_source() == other.get_xml_source()
def set_file_path(self, file_path):
"""Sets given file_path to be the input file. If you use this method
no temporary files will be allocated, the file_path will be passed to
`oscap` as is, in its absolute form.
"""
self.temp_file = None
if file_path is not None:
self.file_path = \
os.path.abspath(file_path) if file_path is not None else None
else:
self.file_path = None
def set_contents(self, input_contents):
"""Sets given input_contents XML to be the input source. This method
allocates a temporary file that exists for the lifetime of this
instance.
"""
if input_contents is not None:
self.temp_file = tempfile.NamedTemporaryFile()
self.temp_file.write(input_contents.encode("utf-8"))
self.temp_file.flush()
self.file_path = os.path.abspath(self.temp_file.name)
else:
self.file_path = None
def load_from_xml_element(self, element):
input_file = element.get("href")
if input_file is not None:
self.set_file_path(input_file)
else:
input_file_contents = element.text
self.set_contents(input_file_contents)
def to_xml_element(self):
if self.file_path is None:
return None
ret = ElementTree.Element("tailoring")
if self.temp_file is None:
ret.set("href", self.file_path)
else:
with io.open(self.temp_file.name, "r", encoding="utf-8") as f:
ret.text = f.read()
return ret
class EvaluationSpec(object):
"""This class defined input content, tailoring, profile, ...
for an SCAP evaluation task. Everything expect schedule.
Example of a task:
Run USGCB evaluation on RHEL6 localhost machine
"""
def __init__(self):
self.mode = oscap_helpers.EvaluationMode.SOURCE_DATASTREAM
self.target = "localhost"
self.input_ = SCAPInput()
self.tailoring = SCAPTailoring()
self.profile_id = None
self.online_remediation = False
self.cpe_hints = []
def __str__(self):
ret = "Evaluation spec\n"
ret += "- mode: \t%s\n" % \
(oscap_helpers.EvaluationMode.to_string(self.mode))
ret += "- target: \t%s\n" % (self.target)
ret += "- input:\n"
ret += " - file: \t%s\n" % (self.input_.file_path)
if self.input_.temp_file is not None:
ret += " - bundled"
ret += " - datastream_id: \t%s\n" % (self.input_.datastream_id)
ret += " - xccdf_id: \t%s\n" % (self.input_.xccdf_id)
ret += "- tailoring file: \t%s\n" % (self.tailoring.file_path)
if self.tailoring.temp_file is not None:
ret += " - bundled"
ret += "- profile ID: \t%s\n" % (self.profile_id)
ret += "- online remediation: \t%s\n" % \
("enabled" if self.online_remediation else "disabled")
ret += "- CPE hints: \t%s\n" % \
("none" if len(self.cpe_hints) == 0 else ", ".join(self.cpe_hints))
return ret
def is_valid(self):
if self.mode == oscap_helpers.EvaluationMode.UNKNOWN:
return False
if self.target is None:
return False
# cve_scan and standard_scan modes don't require the input element
if self.mode not in [oscap_helpers.EvaluationMode.CVE_SCAN,
oscap_helpers.EvaluationMode.STANDARD_SCAN] and \
not self.input_.is_valid():
return False
return True
def is_equivalent_to(self, other):
"""Checks that both "Task self" and "Task other" are the same except for
id_ and config_file.
"""
return \
self.mode == other.mode and \
self.target == other.target and \
self.input_.is_equivalent_to(other.input_) and \
self.tailoring.is_equivalent_to(other.tailoring) and \
self.profile_id == other.profile_id and \
self.online_remediation == other.online_remediation and \
self.cpe_hints == other.cpe_hints
def load_from_xml_element(self, element):
self.mode = oscap_helpers.EvaluationMode.from_string(
et_helpers.get_element_text(element, "mode", "sds")
)
self.target = et_helpers.get_element_text(element, "target")
self.input_ = SCAPInput()
self.input_.load_from_xml_element(
et_helpers.get_element(element, "input")
)
self.tailoring = SCAPTailoring()
try:
self.tailoring.load_from_xml_element(
et_helpers.get_element(element, "tailoring")
)
except RuntimeError:
# tailoring is optional, if it's not present just skip tailoring
pass
self.profile_id = et_helpers.get_element_text(element, "profile")
self.online_remediation = \
et_helpers.get_element_text(element, "online_remediation") == "true"
cpe_hints_str = et_helpers.get_element_text(element, "cpe_hints")
self.cpe_hints = []
if cpe_hints_str is not None:
for cpe_hint in cpe_hints_str.split(", "):
self.cpe_hints.append(cpe_hint)
def load_from_xml_source(self, xml_source):
element = ElementTree.fromstring(xml_source)
self.load_from_xml_element(element)
def load_from_xml_file(self, file_):
element = ElementTree.parse(file_)
self.load_from_xml_element(element)
def to_xml_element(self):
ret = ElementTree.Element("evaluation_spec")
mode_element = ElementTree.Element("mode")
mode_element.text = oscap_helpers.EvaluationMode.to_string(self.mode)
ret.append(mode_element)
target_element = ElementTree.Element("target")
target_element.text = self.target
ret.append(target_element)
input_element = self.input_.to_xml_element()
if input_element is not None:
ret.append(input_element)
tailoring_element = self.tailoring.to_xml_element()
if tailoring_element is not None:
ret.append(tailoring_element)
if self.profile_id is not None:
profile_element = ElementTree.Element("profile")
profile_element.text = self.profile_id
ret.append(profile_element)
online_remediation_element = ElementTree.Element("online_remediation")
online_remediation_element.text = \
"true" if self.online_remediation else "false"
ret.append(online_remediation_element)
if len(self.cpe_hints) > 0:
cpe_hints_element = ElementTree.Element("cpe_hints")
cpe_hints_element.text = ", ".join(self.cpe_hints)
ret.append(cpe_hints_element)
return ret
def to_xml_source(self):
element = self.to_xml_element()
return ElementTree.tostring(element, "utf-8")
def get_cpe_ids(self, config):
cpe_ids = self.cpe_hints
if len(cpe_ids) == 0:
cpe_ids = EvaluationSpec.detect_CPEs_of_target(
self.target, config
)
return cpe_ids
def select_profile_by_suffix(self, profile_suffix):
input_file = self.input_.file_path
if input_file is None:
raise RuntimeError("No SCAP content file was set in the EvaluationSpec")
profiles = oscap_helpers.get_profile_choices_for_input(input_file, None)
profile_id_match = False
for p in profiles:
if p.endswith(profile_suffix):
if profile_id_match:
raise ProfileSuffixMatchError(
"Found multiple profiles with suffix %s." %
profile_suffix
)
else:
self.profile_id = p
profile_id_match = True
if profile_id_match:
return self.profile_id
else:
raise ProfileSuffixMatchError(
"No profile with suffix %s" %
profile_suffix
)
def generate_guide(self, config):
if self.mode == oscap_helpers.EvaluationMode.SOURCE_DATASTREAM:
return oscap_helpers.generate_guide(self, config)
elif self.mode == oscap_helpers.EvaluationMode.OVAL:
# TODO: improve this
return "OVAL evaluation"
elif self.mode == oscap_helpers.EvaluationMode.CVE_SCAN:
# TODO: improve this
return "CVE scan evaluation"
elif self.mode == oscap_helpers.EvaluationMode.STANDARD_SCAN:
return oscap_helpers.generate_guide(self, config)
raise RuntimeError("Unknown EvaluationMode %i" % (self.mode))
def generate_fix(self, config, fix_type):
if self.mode in [oscap_helpers.EvaluationMode.SOURCE_DATASTREAM,
oscap_helpers.EvaluationMode.STANDARD_SCAN]:
return oscap_helpers.generate_fix(self, config, fix_type)
raise RuntimeError("Unsupported EvaluationMode %i" % (self.mode))
def get_oscap_guide_arguments(self, config):
ret = []
if self.mode == oscap_helpers.EvaluationMode.SOURCE_DATASTREAM:
# TODO: Is this supported in OpenSCAP?
if self.input_.datastream_id is not None:
ret.extend(["--datastream-id", self.input_.datastream_id])
# TODO: Is this supported in OpenSCAP?
if self.input_.xccdf_id is not None:
ret.extend(["--xccdf-id", self.input_.xccdf_id])
# TODO: Is this supported in OpenSCAP?
if self.tailoring.file_path is not None:
ret.extend(["--tailoring-file", self.tailoring.file_path])
if self.profile_id is not None:
ret.extend(["--profile", self.profile_id])
ret.append(self.input_.file_path)
elif self.mode == oscap_helpers.EvaluationMode.STANDARD_SCAN:
# TODO: Is this supported in OpenSCAP?
if self.tailoring.file_path is not None:
ret.extend(["--tailoring-file", self.tailoring.file_path])
ret.extend(["--profile",
"xccdf_org.ssgproject.content_profile_standard"])
ret.append(config.get_ssg_sds(self.get_cpe_ids(config)))
else:
raise NotImplementedError("This EvaluationMode is unsupported here!")
return ret
def get_oscap_arguments(self, config):
if self.mode == oscap_helpers.EvaluationMode.SOURCE_DATASTREAM:
ret = ["xccdf", "eval"]
if self.input_.datastream_id is not None:
ret.extend(["--datastream-id", self.input_.datastream_id])
if self.input_.xccdf_id is not None:
ret.extend(["--xccdf-id", self.input_.xccdf_id])
if self.tailoring.file_path is not None:
ret.extend(["--tailoring-file", self.tailoring.file_path])
if self.profile_id is not None:
ret.extend(["--profile", self.profile_id])
if self.online_remediation:
ret.append("--remediate")
# We are on purpose only interested in ARF, everything else can be
# generated from that.
ret.extend(["--results-arf", "results.xml"])
ret.append(self.input_.file_path)
elif self.mode == oscap_helpers.EvaluationMode.OVAL:
ret = ["oval", "eval"]
ret.extend(["--results", "results.xml"])
# Again, we are only interested in OVAL results, everything else can
# be generated.
ret.append(self.input_.file_path)
elif self.mode == oscap_helpers.EvaluationMode.CVE_SCAN:
ret = ["oval", "eval"]
ret.extend(["--results", "results.xml"])
# Again, we are only interested in OVAL results, everything else can
# be generated.
ret.append(config.get_cve_feed(self.get_cpe_ids(config)))
elif self.mode == oscap_helpers.EvaluationMode.STANDARD_SCAN:
ret = ["xccdf", "eval"]
if self.tailoring.file_path is not None:
ret.extend(["--tailoring-file", self.tailoring.file_path])
if self.profile_id is None:
ret.extend(["--profile",
"xccdf_org.ssgproject.content_profile_standard"])
else:
ret.extend(["--profile", self.profile_id])
if self.online_remediation:
ret.append("--remediate")
# We are on purpose only interested in ARF, everything else can be
# generated from that.
ret.extend(["--results-arf", "results.xml"])
ret.append(config.get_ssg_sds(self.get_cpe_ids(config)))
else:
raise RuntimeError("Unknown evaluation mode %i" % (self.mode))
return ret
def evaluate_into_dir(self, config):
return oscap_helpers.evaluate(self, config)
def evaluate(self, config):
wip_result = self.evaluate_into_dir(config)
try:
exit_code = -1
with io.open(os.path.join(wip_result, "exit_code"), "r",
encoding="utf-8") as f:
exit_code = int(f.read())
stdout = ""
with io.open(os.path.join(wip_result, "stdout"), "r",
encoding="utf-8") as f:
stdout = f.read()
stderr = ""
with io.open(os.path.join(wip_result, "stderr"), "r",
encoding="utf-8") as f:
stderr = f.read()
results = ""
try:
with io.open(os.path.join(wip_result, "results.xml"), "r",
encoding="utf-8") as f:
results = f.read()
except Exception as e:
raise RuntimeError(
"Failed to read results.xml of EvaluationSpec evaluation.\n"
"stdout:\n%s\n\nstderr:\n%s\n\nexception: %s" %
(stdout, stderr, e)
)
return (results, stdout, stderr, exit_code)
finally:
shutil.rmtree(wip_result)
@staticmethod
def detect_CPEs_of_target(target, config):
"""Returns list of CPEs that are applicable on given target. For example
if the target is a Red Hat Enterprise Linux 7 machine this static method
would return:
["cpe:/o:redhat:enterprise_linux", "cpe:/o:redhat:enterprise_linux:7"]
"""
# We detect the CPEs by running the OpenSCAP CPE OVAL and looking at
# positive definitions.
if config.cpe_oval_path == "":
raise RuntimeError(
"Cannot detect CPEs without the OpenSCAP CPE OVAL. Please set "
"its path in the config file"
)
es = EvaluationSpec()
es.mode = oscap_helpers.EvaluationMode.OVAL
es.target = target
es.input_.set_file_path(config.cpe_oval_path)
results, stdout, stderr, exit_code = es.evaluate(config)
if exit_code != 0:
raise RuntimeError("Failed to detect CPEs of target '%s'.\n\n"
"stdout:\n%s\n\nstderr:\n%s"
% (target, stdout, stderr))
namespaces = {
"ovalres": "http://oval.mitre.org/XMLSchema/oval-results-5",
"ovaldef": "http://oval.mitre.org/XMLSchema/oval-definitions-5"
}
results_tree = ElementTree.fromstring(results)
# first we collect all definition ids that resulted in true
definition_ids = []
for definition in results_tree.findall(
"./ovalres:results/ovalres:system/ovalres:definitions/"
"ovalres:definition[@result='true']", namespaces):
def_id_attr = definition.get("definition_id")
if def_id_attr is None:
continue
definition_ids.append(def_id_attr)
cpe_ids = []
# now we need to lookup the CPE ID for each definition id
for definition_id in definition_ids:
for reference in results_tree.findall(
"./ovaldef:oval_definitions/ovaldef:definitions/"
"ovaldef:definition[@id='%s']/ovaldef:metadata/"
"ovaldef:reference[@source='CPE']" % (definition_id),
namespaces):
ref_id = reference.get("ref_id")
if ref_id is None:
continue
cpe_ids.append(ref_id)
return cpe_ids
class ProfileSuffixMatchError(Exception):
pass
������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/__init__.py���������������������������������������������������0000644�0001751�0000033�00000001736�13163222324�020524� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon.evaluation_spec import EvaluationSpec
from openscap_daemon.system import System
from openscap_daemon.task import Task
__all__ = ["EvaluationSpec", "System", "Task"]
����������������������������������openscap-daemon-0.1.8/openscap_daemon/dbus_utils.py�������������������������������������������������0000644�0001751�0000033�00000002143�13163222324�021133� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import os
OBJECT_PATH = "/OpenSCAP/daemon"
DBUS_INTERFACE = "org.OpenSCAP.daemon.Interface"
BUS_NAME = "org.OpenSCAP.daemon"
def get_dbus():
import dbus
var_name = "OSCAPD_SESSION_BUS"
if var_name in os.environ and os.environ[var_name] == "1":
return dbus.SessionBus()
return dbus.SystemBus()
�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/dbus_daemon.py������������������������������������������������0000644�0001751�0000033�00000052163�13163222324�021245� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
from openscap_daemon import system
from openscap_daemon import EvaluationSpec
from openscap_daemon import dbus_utils
from openscap_daemon.cve_scanner.cve_scanner import Worker
from openscap_daemon import version
import dbus
import dbus.service
import threading
from datetime import datetime
import json
# Internal note: Python does not support unsigned long integer while dbus does,
# to avoid weird issues I just use 64bit integer in the interface signatures.
# "2^63-1 IDs should be enough for everyone."
class OpenSCAPDaemonDbus(dbus.service.Object):
def __init__(self, bus, config_file):
super(OpenSCAPDaemonDbus, self).__init__(bus, dbus_utils.OBJECT_PATH)
self.system = system.System(config_file)
self.system.load_tasks()
self.system_worker_thread = threading.Thread(
target=lambda: self.system.schedule_tasks_worker()
)
self.system_worker_thread.daemon = True
self.system_worker_thread.start()
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="", out_signature="(nnn)")
def GetVersion(self):
"""Retrieves OpenSCAP-daemon version in a tuple format, suitable
for version comparisons.
"""
return (
version.VERSION_MAJOR,
version.VERSION_MINOR,
version.VERSION_PATCH
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="", out_signature="as")
def GetSSGChoices(self):
"""Retrieves absolute paths of SSG source datastreams that are
available.
"""
return self.system.get_ssg_choices()
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="ss", out_signature="a{ss}")
def GetProfileChoicesForInput(self, input_file, tailoring_file):
"""Figures out profile ID -> profile title mappings of all available
profiles given the input_file and (optionally) the tailoring_file.
"""
return self.system.get_profile_choices_for_input(
input_file, tailoring_file
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="", out_signature="a(xsi)")
def GetAsyncActionsStatus(self):
return self.system.async.get_status()
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="s", out_signature="(sssn)")
def EvaluateSpecXML(self, xml_source):
"""Deprecated, use EvaluateSpecXMLAsync instead
"""
spec = EvaluationSpec()
spec.load_from_xml_source(xml_source)
arf, stdout, stderr, exit_code = spec.evaluate(self.system.config)
return (arf, stdout, stderr, exit_code)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="s", out_signature="n")
def EvaluateSpecXMLAsync(self, xml_source):
spec = EvaluationSpec()
spec.load_from_xml_source(xml_source)
token = self.system.evaluate_spec_async(spec)
return token
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="n", out_signature="(bsssn)")
def GetEvaluateSpecXMLAsyncResults(self, token):
try:
arf, stdout, stderr, exit_code = \
self.system.get_evaluate_spec_async_results(token)
return (True, arf, stdout, stderr, exit_code)
except system.ResultsNotAvailable:
return (False, "", "", "", 1)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="n", out_signature="")
def CancelEvaluateSpecXMLAsync(self, token):
# TODO
pass
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="", out_signature="ax")
def ListTaskIDs(self):
"""Returns a list of IDs of tasks that System has loaded from config
files.
"""
return self.system.list_task_ids()
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="")
def SetTaskTitle(self, task_id, title):
"""Set title of existing task with given ID.
The change is persistent after the function returns.
"""
return self.system.set_task_title(task_id, title)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="s")
def GetTaskTitle(self, task_id):
"""Retrieves title of task with given ID.
"""
return self.system.get_task_title(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="s")
def GenerateGuideForTask(self, task_id):
"""Generates and returns HTML guide for a task with given ID.
"""
return self.system.generate_guide_for_task(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="s")
def GenerateFixForTask(self, task_id, fix_type):
"""Generates and returns fix script for a task with given ID.
"""
return self.system.generate_fix_for_task(task_id, fix_type)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="")
def RunTaskOutsideSchedule(self, task_id):
"""Given task will be run as soon as possible without affecting its
schedule. This feature is useful mainly for testing purposes.
"""
return self.system.run_task_outside_schedule(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="", out_signature="x")
def CreateTask(self):
"""Creates a new task with empty contents, the task is created
in a disabled state so it won't be run.
The task is not persistent until some of its attributes are changed.
Empty tasks are worthless, so we don't save them until they have at
least some data.
"""
return self.system.create_task()
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xb", out_signature="")
def RemoveTask(self, task_id, remove_results):
"""Removes task with given ID and deletes its config file. The task has
to be disabled, else the operation fails.
The change is persistent after the function returns.
"""
return self.system.remove_task(task_id, remove_results)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xb", out_signature="")
def SetTaskEnabled(self, task_id, enabled):
"""Sets enabled flag of an existing task with given ID.
The change is persistent after the function returns.
"""
return self.system.set_task_enabled(task_id, enabled)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="b")
def GetTaskEnabled(self, task_id):
"""Retrieves the enabled flag of an existing task with given ID.
"""
return self.system.get_task_enabled(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="")
def SetTaskTarget(self, task_id, target):
"""Set target of existing task with given ID.
The change is persistent after the function returns.
"""
return self.system.set_task_target(task_id, target)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="s")
def GetTaskTarget(self, task_id):
"""Retrieves target of existing task with given ID.
"""
return self.system.get_task_target(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="x")
def GetTaskCreatedTimestamp(self, task_id):
"""Get timestamp of task creation
"""
return self.system.get_task_created_timestamp(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="x")
def GetTaskModifiedTimestamp(self, task_id):
"""Get timestamp of task modification
"""
return self.system.get_task_modified_timestamp(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="")
def SetTaskInput(self, task_id, input_):
"""Set input of existing task with given ID.
input can be absolute file path or the XML source itself, this is
is autodetected.
The change is persistent after the function returns.
"""
return self.system.set_task_input(
task_id, input_ if input_ != "" else None
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="")
def SetTaskTailoring(self, task_id, tailoring):
"""Set tailoring of existing task with given ID.
tailoring can be absolute file path or the XML source itself, this is
is autodetected.
The change is persistent after the function returns.
"""
return self.system.set_task_tailoring(
task_id, tailoring if tailoring != "" else None
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="")
def SetTaskProfileID(self, task_id, profile_id):
"""Set profile ID of existing task with given ID.
The change is persistent after the function returns.
"""
return self.system.set_task_profile_id(task_id, profile_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xb", out_signature="")
def SetTaskOnlineRemediation(self, task_id, online_remediation):
"""Sets whether online remediation of existing task with given ID
is enabled.
The change is persistent after the function returns.
"""
return self.system.set_task_online_remediation(
task_id, online_remediation
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xs", out_signature="")
def SetTaskScheduleNotBefore(self, task_id, schedule_not_before_str):
"""Sets time when the task is next scheduled to run. The time is passed
as a string in format YYYY-MM-DDTHH:MM in UTC with no timezone info!
Example: 2015-05-14T13:49
The change is persistent after the function returns.
"""
schedule_not_before = datetime.strptime(
schedule_not_before_str,
"%Y-%m-%dT%H:%M"
)
return self.system.set_task_schedule_not_before(
task_id, schedule_not_before
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="")
def SetTaskScheduleRepeatAfter(self, task_id, schedule_repeat_after):
"""Sets number of hours after which the task should be repeated.
For example 24 for daily tasks, 24*7 for weekly tasks, ...
The change is persistent after the function returns.
"""
return self.system.set_task_schedule_repeat_after(
task_id, schedule_repeat_after
)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="ax")
def GetTaskResultIDs(self, task_id):
"""Retrieves list of available task result IDs.
"""
return self.system.get_task_result_ids(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="x")
def GetResultCreatedTimestamp(self, task_id, result_id):
"""Return timestamp of result creation
"""
return self.system.get_task_result_created_timestamp(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="s")
def GetXMLOfTaskResult(self, task_id, result_id):
"""Retrieves full XML of result of given task.
This can be an ARF or OVAL result file, depending on task EvaluationMode
Deprecated, use GetXMLOfTaskResult instead.
"""
return self.system.get_xml_of_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="s")
def GetARFOfTaskResult(self, task_id, result_id):
"""Retrieves full ARF of result of given task.
Deprecated, use GetXMLOfTaskResult instead.
"""
return self.system.get_xml_of_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="x", out_signature="")
def RemoveTaskResults(self, task_id):
"""Remove all results of given task.
"""
return self.system.remove_task_results(task_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="")
def RemoveTaskResult(self, task_id, result_id):
"""Remove result of given task.
"""
return self.system.remove_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="s")
def GetStdOutOfTaskResult(self, task_id, result_id):
"""Retrieves full stdout of result of given task.
"""
return self.system.get_stdout_of_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="s")
def GetStdErrOfTaskResult(self, task_id, result_id):
"""Retrieves full stderr of result of given task.
"""
return self.system.get_stderr_of_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="i")
def GetExitCodeOfTaskResult(self, task_id, result_id):
"""Retrieves exit code of result of given task.
"""
return self.system.get_exit_code_of_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xx", out_signature="s")
def GenerateReportForTaskResult(self, task_id, result_id):
"""Generates and returns HTML report for report of given task.
"""
return self.system.generate_report_for_task_result(task_id, result_id)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="xxs", out_signature="s")
def GenerateFixForTaskResult(self, task_id, result_id, fix_type):
"""Generates and returns remediation script for result of given task.
"""
return self.system.generate_fix_for_task_result(task_id, result_id, fix_type)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, in_signature='s',
out_signature='s')
def inspect_container(self, cid):
"""Returns inspect data of a container.
Used by `atomic scan`. Do not break this interface!
"""
import docker
docker_conn = docker.Client()
inspect_data = docker_conn.inspect_container(cid)
return json.dumps(inspect_data)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, in_signature='s',
out_signature='s')
def inspect_image(self, iid):
"""Returns inspect data of an image.
Used by `atomic scan`. Do not break this interface!
"""
import docker
docker_conn = docker.Client()
inspect_data = docker_conn.inspect_image(iid)
return json.dumps(inspect_data)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, out_signature='s')
def images(self):
"""Used by `atomic scan`. Do not break this interface!
"""
import docker
docker_conn = docker.Client()
images = docker_conn.images(all=True)
return json.dumps(images)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, out_signature='s')
def containers(self):
"""Used by `atomic scan`. Do not break this interface!
"""
import docker
docker_conn = docker.Client()
cons = docker_conn.containers(all=True)
return json.dumps(cons)
@staticmethod
def _parse_only_cache(config, fetch_cve):
if fetch_cve == 2:
return config.fetch_cve
elif fetch_cve == 1:
return True
elif fetch_cve == 0:
return False
else:
raise RuntimeError("Invalid value %i for fetch_cve" % (fetch_cve))
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature='bbiy', out_signature='s')
def scan_containers(self, onlyactive, allcontainers, number, fetch_cve=2):
"""fetch_cve -
0 to enable CVE fetch
1 to disable CVE fetch
2 to use defaults from oscapd config file
"""
worker = Worker(onlyactive=onlyactive, allcontainers=allcontainers,
number=number,
fetch_cve=self._parse_only_cache(self.system.config, int(fetch_cve)),
fetch_cve_url=self.system.config.fetch_cve_url)
return_json = worker.start_application()
return json.dumps(return_json)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, in_signature='bbiy',
out_signature='s')
def scan_images(self, allimages, images, number, fetch_cve=2):
"""fetch_cve -
0 to enable CVE fetch
1 to disable CVE fetch
2 to use defaults from oscapd config file
"""
worker = Worker(allimages=allimages, images=images,
number=number,
fetch_cve=self._parse_only_cache(self.system.config, int(fetch_cve)),
fetch_cve_url=self.system.config.fetch_cve_url)
return_json = worker.start_application()
return json.dumps(return_json)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature='asiy', out_signature='s')
def scan_list(self, scan_list, number, fetch_cve=2):
"""fetch_cve -
0 to enable CVE fetch
1 to disable CVE fetch
2 to use defaults from oscapd config file
Used by `atomic scan`. Do not break this interface!
Deprecated, please use CVEScanListAsync
"""
worker = Worker(scan=scan_list, number=number,
fetch_cve=self._parse_only_cache(self.system.config, int(fetch_cve)),
fetch_cve_url=self.system.config.fetch_cve_url)
return_json = worker.start_application()
return json.dumps(return_json)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature='asiy', out_signature='n')
def CVEScanListAsync(self, scan_list, number, fetch_cve):
worker = Worker(
scan=scan_list, number=number,
fetch_cve=self._parse_only_cache(self.system.config, int(fetch_cve)),
fetch_cve_url=self.system.config.fetch_cve_url
)
return self.system.evaluate_cve_scanner_worker_async(worker)
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="n", out_signature="(bs)")
def GetCVEScanListAsyncResults(self, token):
try:
json_results = \
self.system.get_evaluate_cve_scanner_worker_async_results(token)
return (True, json.dumps(json_results))
except system.ResultsNotAvailable:
return (False, "")
@dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
in_signature="n", out_signature="")
def CancelCVEScanListAsync(self, token):
# TODO
pass
�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/compat.py�����������������������������������������������������0000644�0001751�0000033�00000003277�13163222324�020252� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
import subprocess
def subprocess_check_output(*popenargs, **kwargs):
# Backport of subprocess.check_output taken from
# https://gist.github.com/edufelipe/1027906
#
# Originally from Python 2.7 stdlib under PSF, compatible with LGPL2+
# Copyright (c) 2003-2005 by Peter Astrand
# Changes by Eduardo Felipe
process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs)
output, unused_err = process.communicate()
retcode = process.poll()
if retcode:
cmd = kwargs.get("args")
if cmd is None:
cmd = popenargs[0]
error = subprocess.CalledProcessError(retcode, cmd)
error.output = output
raise error
return output
if hasattr(subprocess, "check_output"):
# if available we just use the real function
subprocess_check_output = subprocess.check_output
__all__ = ["subprocess_check_output"]
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������openscap-daemon-0.1.8/openscap_daemon/config.py�����������������������������������������������������0000644�0001751�0000033�00000046040�13163222324�020227� 0����������������������������������������������������������������������������������������������������ustar �phil����������������������������sudo�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright 2015 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# openscap-daemon is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 2.1 of the License, or
# (at your option) any later version.
#
# openscap-daemon is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public License
# along with openscap-daemon. If not, see .
#
# Authors:
# Martin Preisler
try:
import ConfigParser as configparser
except ImportError:
# ConfigParser has been renamed to configparser in python3
import configparser
import os
import os.path
import logging
import shutil
import inspect
from openscap_daemon import cve_feed_manager
class Configuration(object):
def __init__(self):
self.config_file = None
# General section
self.tasks_dir = os.path.join("/", "var", "lib", "oscapd", "tasks")
self.results_dir = os.path.join("/", "var", "lib", "oscapd", "results")
self.work_in_progress_dir = \
os.path.join("/", "var", "lib", "oscapd", "work_in_progress")
self.cve_feeds_dir = \
os.path.join("/", "var", "lib", "oscapd", "cve_feeds")
self.jobs = 4
# -2 means never prune old results
self.max_results_to_keep = -2
# Tools section
self.oscap_path = ""
self.oscap_ssh_path = ""
self.oscap_vm_path = ""
self.oscap_docker_path = ""
self.oscap_chroot_path = ""
self.container_support = True
# Content section
self.cpe_oval_path = ""
self.ssg_path = ""
# CVEScanner section
self.fetch_cve = True
# empty URL means default URL and is a valid value
self.fetch_cve_url = ""
self.fetch_cve_timeout = 10*60
self.cve_feed_manager = cve_feed_manager.CVEFeedManager()
def autodetect_tool_paths(self):
"""This will try a few well-known public paths and change the paths
accordingly. This method will only try to autodetect paths that are
empty!
Auto-detection is implemented for oscap and various related tools and
SCAP Security Guide content.
"""
def autodetect_tool_path(possible_names, possible_prefixes=None):
if possible_prefixes is None:
possible_prefixes = (
os.path.join("/", "usr", "bin"),
os.path.join("/", "usr", "local", "bin"),
os.path.join("/", "opt", "openscap", "bin")
)
for prefix in possible_prefixes:
for name in possible_names:
full_path = os.path.join(prefix, name)
if os.path.isfile(full_path) and \
os.access(full_path, os.X_OK):
logging.info("Autodetected \"%s\" in path \"%s\".",
name, full_path)
return full_path
logging.info(
"Failed to autodetect tool with name %s in prefixes %s.",
" or ".join(possible_names), ", ".join(possible_prefixes)
)
return ""
if self.oscap_path == "":
self.oscap_path = autodetect_tool_path(["oscap", "oscap.exe"])
if self.oscap_ssh_path == "":
self.oscap_ssh_path = autodetect_tool_path(["oscap-ssh"])
if self.oscap_vm_path == "":
self.oscap_vm_path = autodetect_tool_path(["oscap-vm"])
if self.oscap_docker_path == "":
self.oscap_docker_path = autodetect_tool_path(["oscap-docker"])
if self.oscap_chroot_path == "":
self.oscap_chroot_path = autodetect_tool_path(["oscap-chroot"])
if self.container_support:
# let's verify that we really can enable container support
self.container_support = False
try:
__import__("docker")
try:
from Atomic.mount import DockerMount
if "mnt_mkdir" not in \
inspect.getargspec(DockerMount.__init__).args:
logging.error(
"\"Atomic.mount.DockerMount\" has been successfully"
" imported but it doesn't support the mnt_mkdir "
"argument. Please upgrade your Atomic installation "
"to 1.4 or higher. Direct container scanning via "
"oscap-docker will be disabled."
)
logging.info("Successfully imported 'docker' and "
"'Atomic.mount', container scanning enabled.")
self.container_support = True
except ImportError:
logging.warning("Can't import the 'Atomic.mount' package. "
"Direct container scanning via "
"oscap-docker will be disabled.")
except ImportError:
logging.warning("Can't import the 'docker' package. Direct "
"container scanning via oscap-docker will be "
"disabled.")
def autodetect_content_paths(self):
def autodetect_content_path(possible_paths, possible_filenames):
for path in possible_paths:
if not os.path.isdir(path):
continue
for filename in possible_filenames:
full_path = os.path.join(path, filename)
if os.path.exists(full_path):
logging.info("Autodetected SCAP content at \"%s\".",
full_path)
return full_path
logging.info(
"Failed to autodetect SCAP content in paths %s with filenames "
"%s.", ", ".join(possible_paths), ", ".join(possible_filenames)
)
return ""
if self.cpe_oval_path == "":
self.cpe_oval_path = autodetect_content_path([
os.path.join("/", "usr", "share", "openscap", "cpe"),
os.path.join("/", "usr", "local", "share", "openscap", "cpe"),
os.path.join("/", "opt", "openscap", "cpe")],
["openscap-cpe-oval.xml"]
)
def autodetect_content_dir(possible_paths):
for path in possible_paths:
if os.path.isdir(path):
logging.info("Autodetected SCAP content in path \"%s\".",
path)
return path
logging.info(
"Failed to autodetect SCAP content in paths %s.",
", ".join(possible_paths)
)
return ""
if self.ssg_path == "":
self.ssg_path = autodetect_content_dir([
os.path.join("/", "usr", "share", "xml", "scap", "ssg", "content"),
os.path.join("/", "usr", "local", "share", "xml", "scap", "ssg", "content"),
os.path.join("/", "opt", "ssg", "content")
])
def load(self, config_file):
config = configparser.SafeConfigParser()
config.read(config_file)
base_dir = os.path.dirname(config_file)
def absolutize(path):
path = str(path)
if path == "" or os.path.isabs(path):
return path
return os.path.normpath(os.path.join(base_dir, path))
# General section
try:
self.tasks_dir = absolutize(config.get("General", "tasks-dir"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.results_dir = absolutize(config.get("General", "results-dir"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.work_in_progress_dir = absolutize(config.get("General", "work-in-progress-dir"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.cve_feeds_dir = absolutize(config.get("General", "cve-feeds-dir"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.jobs = config.getint("General", "jobs")
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.max_results_to_keep = config.getint("General", "max-results-to-keep")
except (configparser.NoOptionError, configparser.NoSectionError):
pass
# Tools section
try:
self.oscap_path = absolutize(config.get("Tools", "oscap"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.oscap_ssh_path = absolutize(config.get("Tools", "oscap-ssh"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.oscap_vm_path = absolutize(config.get("Tools", "oscap-vm"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.oscap_docker_path = absolutize(config.get("Tools", "oscap-docker"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.oscap_chroot_path = absolutize(config.get("Tools", "oscap-chroot"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.container_support = config.get("Tools", "container-support") \
not in ["no", "0", "false", "False"]
except (configparser.NoOptionError, configparser.NoSectionError):
pass
# Content section
try:
self.cpe_oval_path = absolutize(config.get("Content", "cpe-oval"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.ssg_path = absolutize(config.get("Content", "ssg"))
except (configparser.NoOptionError, configparser.NoSectionError):
pass
# CVEScanner section
try:
self.fetch_cve = config.get("CVEScanner", "fetch-cve") not in \
["no", "0", "false", "False"]
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.fetch_cve_url = config.get("CVEScanner", "fetch-cve-url")
except (configparser.NoOptionError, configparser.NoSectionError):
pass
try:
self.fetch_cve_timeout = config.getint("CVEScanner", "fetch-cve-timeout")
except (configparser.NoOptionError, configparser.NoSectionError):
pass
self.config_file = config_file
def save_as(self, config_file):
config = configparser.SafeConfigParser()
config.add_section("General")
config.set("General", "tasks-dir", str(self.tasks_dir))
config.set("General", "results-dir", str(self.results_dir))
config.set("General", "work-in-progress-dir", str(self.work_in_progress_dir))
config.set("General", "cve-feeds-dir", str(self.cve_feeds_dir))
config.set("General", "jobs", str(self.jobs))
config.set("General", "max-results-to-keep", str(self.max_results_to_keep))
config.add_section("Tools")
config.set("Tools", "oscap", str(self.oscap_path))
config.set("Tools", "oscap-ssh", str(self.oscap_ssh_path))
config.set("Tools", "oscap-vm", str(self.oscap_vm_path))
config.set("Tools", "oscap-docker", str(self.oscap_docker_path))
config.set("Tools", "oscap-chroot", str(self.oscap_chroot_path))
config.set("Tools", "container-support",
"yes" if self.container_support else "no")
config.add_section("Content")
config.set("Content", "cpe-oval", str(self.cpe_oval_path))
config.set("Content", "ssg", str(self.ssg_path))
config.add_section("CVEScanner")
config.set("CVEScanner", "fetch-cve", "yes" if self.fetch_cve else "no")
config.set("CVEScanner", "fetch-cve-url", str(self.fetch_cve_url))
config.set("CVEScanner", "fetch-cve-timeout",
str(self.fetch_cve_timeout))
if hasattr(config_file, "write"):
# config_file is an already opened file, let's use it like one
config.write(config_file)
else:
# treat config_file as a path
with open(config_file, "w") as f:
config.write(f)
self.config_file = config_file
def save(self):
self.save_as(self.config_file)
def prepare_dirs(self, cleanup_allowed=True):
if not os.path.exists(self.tasks_dir):
logging.info(
"Creating tasks directory at '%s' because it didn't exist.",
self.tasks_dir
)
os.makedirs(self.tasks_dir, 0o750)
if not os.path.exists(self.results_dir):
logging.info(
"Creating results directory at '%s' because it didn't exist.",
self.results_dir
)
os.makedirs(self.results_dir)
if not os.path.exists(self.work_in_progress_dir):
logging.info(
"Creating results work in progress directory at '%s' because "
"it didn't exist.", self.work_in_progress_dir
)
os.makedirs(self.work_in_progress_dir)
if not os.path.exists(self.cve_feeds_dir):
logging.info(
"Creating CVE feeds directory at '%s' because it didn't exist.",
self.cve_feeds_dir
)
os.makedirs(self.cve_feeds_dir)
if cleanup_allowed:
for dir_ in os.listdir(self.work_in_progress_dir):
full_path = os.path.join(self.work_in_progress_dir, dir_)
logging.info(
"Found '%s' in work_in_progress results directory, full "
"path is '%s'. This is most likely a left-over from an "
"earlier crash. Deleting...", dir_, full_path
)
try:
shutil.rmtree(full_path)
except OSError as e:
if e.errno == 13: # permission denied
logging.warning(
"Tried to delete '%s' to clean-up but permission "
"was denied. Skipping...", full_path)
else:
raise
def sanity_check(self):
def sanity_check_dir(path, config_file_entry, desc, allow_empty=False):
if allow_empty and path == "":
return
if not os.path.exists(path):
raise RuntimeError(
"Path '%s' given for the %s folder (config file entry: %s) "
"doesn't exist." % (path, desc, config_file_entry)
)
if not os.path.isdir(path):
raise RuntimeError(
"Path '%s' given for the %s folder (config file entry: %s) "
"is not a directory." % (path, desc, config_file_entry)
)
def sanity_check_file(path, config_file_entry, desc, allow_empty=False):
if allow_empty and path == "":
return
if not os.path.exists(path):
raise RuntimeError(
"Path '%s' given for the %s file (config file entry: %s) "
"doesn't exist." % (path, desc, config_file_entry)
)
if not os.path.isfile(path):
raise RuntimeError(
"Path '%s' given for the %s file (config file entry: %s) "
"is not a file." % (path, desc, config_file_entry)
)
sanity_check_dir(self.tasks_dir,
"Tasks configuration storage", "tasks-dir")
sanity_check_dir(self.results_dir, "Results storage", "results-dir")
sanity_check_dir(self.work_in_progress_dir,
"Temporary storage / work in progress",
"work-in-progress-dir")
sanity_check_dir(self.cve_feeds_dir,
"CVE feeds storage", "cve-feeds-dir")
# self.jobs
# self.max_results_to_keep
# self.oscap_path = ""
# self.oscap_ssh_path = ""
# self.oscap_vm_path = ""
# self.oscap_docker_path = ""
# self.oscap_chroot_path = ""
# self.container_support = True
sanity_check_file(self.cpe_oval_path, "CPE OVAL", "cpe-oval")
sanity_check_dir(self.ssg_path, "SCAP Security Guide", "ssg", True)
# self.fetch_cve = True
# self.fetch_cve_url = ""
# self.fetch_cve_timeout = 10*60
def get_cve_feed(self, cpe_ids):
self.cve_feed_manager.dest = self.cve_feeds_dir
if self.fetch_cve_url != "":
self.cve_feed_manager.url = self.fetch_cve_url
else:
self.cve_feed_manager.url = \
cve_feed_manager.CVEFeedManager.default_url
self.cve_feed_manager.fetch_enabled = self.fetch_cve
self.cve_feed_manager.fetch_timeout = self.fetch_cve_timeout
return self.cve_feed_manager.get_cve_feed(cpe_ids)
def get_ssg_sds(self, cpe_ids):
def get_ssg_sds_path(cpe_ids):
if "cpe:/o:redhat:enterprise_linux:7" in cpe_ids:
return os.path.join(self.ssg_path, "ssg-rhel7-ds.xml")
if "cpe:/o:redhat:enterprise_linux:6" in cpe_ids:
return os.path.join(self.ssg_path, "ssg-rhel6-ds.xml")
if "cpe:/o:redhat:enterprise_linux:5" in cpe_ids:
return os.path.join(self.ssg_path, "ssg-rhel5-ds.xml")
for cpe_id in cpe_ids:
if cpe_id.startswith("cpe:/o:fedoraproject:fedora:"):
return os.path.join(self.ssg_path, "ssg-fedora-ds.xml")
if "cpe:/o:centos:centos:7" in cpe_ids:
return os.path.join(self.ssg_path, "ssg-centos7-ds.xml")
if "cpe:/o:centos:centos:6" in cpe_ids:
return os.path.join(self.ssg_path, "ssg-centos6-ds.xml")
if "cpe:/o:centos:centos:5" in cpe_ids:
return os.path.join(self.ssg_path, "ssg-centos5-ds.xml")
raise RuntimeError(
"Can't find suitable SSG source datastream for CPE IDs %s" %
(", ".join(cpe_ids))
)
path = get_ssg_sds_path(cpe_ids)
if not os.path.exists(path):
raise RuntimeError(
"Suitable SSG source datastream doesn't exist on disk. "
"Expected at path '%s'. Please install 'scap-security-guide' "
"of version 0.1.28 or higher." % (path)
)
return path
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������