Updated spamassassin packages are available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated spamassassin package fixes denial of service issue
Advisory ID: RHSA-2004:451-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0796
----------------------------------------------------------------------
1. Summary:
An updated spamassassin package that fixes a denial of service bug when parsing malformed messages is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email.
A denial of service bug has been found in SpamAssassin versions below 2.64. A malicious attacker could construct a message in such a way that would cause spamassassin to stop responding, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0796 to this issue.
Users of SpamAssassin should update to these updated packages which contain a backported patch and is not vulnerable to this issue.
Updated ruby packages are available for Red Hat Enterprise Linux 2.1 and 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated ruby package fixes security flaw
Advisory ID: RHSA-2004:441-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
Keywords: file permission
CVE Names: CAN-2004-0755
----------------------------------------------------------------------
1. Summary:
An updated ruby package that fixes insecure file permissions for CGI session files is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
Ruby is an interpreted scripting language for object-oriented programming.
Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue.
Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore.
Updated flim packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated flim resolves security vulnerabilities
Advisory ID: FLSA:1581
Issue date: 2004-09-30
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1581
CVE Names: CAN-2004-0422
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated flim packages that fix a security vulnerability are now available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
The flim package includes a MIME library for GNU Emacs and XEmacs used by the wl mail package.
Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for working with Internet messages. Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0422 to this issue.
Users of flim are advised to upgrade to this updated package, which contains patches correcting these issues.
Updated xchat packages are available for Red Hat Linux 7.3
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated xchat resolves security vulnerabilities
Advisory ID: FLSA:1549
Issue date: 2004-09-30
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1549
CVE Names: CAN-2004-0409
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated xchat packages that fix a security vulnerability are now available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
3. Problem description:
X-Chat is a graphical IRC chat client for the X Window System.
A stack buffer overflow flaw was found in the X-Chat's Socks-5 proxy code. An attacker could create a malicious Socks-5 proxy server in such a way that X-Chat would execute arbitrary code if a victim configured X-Chat to use the proxy.
Users of X-Chat should upgrade to this updated package which contains a backported security patch and is not vulnerable to this issue.
Updated tcpdump packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated tcpdump resolves security vulnerabilities
Advisory ID: FLSA:1468
Issue date: 2004-09-29
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1468
CVE Names: CAN-2004-0183, CAN-2004-0184
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated tcpdump packages that fix multiple security vulnerabilities are now available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
Tcpdump is a command-line tool for monitoring network traffic.
Tcpdump v3.8.1 and earlier versions contained multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, tcpdump would try to read beyond the end of the packet capture buffer and subsequently crash.
All users are advised to upgrade to these updated packages, which contain a backported fix and are not vulnerable to this issue.
Updated Ethereal packages are available for Red Hat Linux 7.3 and 9
-------------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated Ethereal packages fix security issues
Advisory ID: FLSA:1840
Issue date: 2004-09-30
Product: Red Hat Linux
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1840
CVE Names: CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
CAN-2004-0504 CAN-2004-0505 CAN-2004-0506
CAN-2004-0507 CAN-2004-0633 CAN-2004-0634
CAN-2004-0635
-------------------------------------------------------------------------
--
-----------------------------------------------------------------------
1. Topic:
Updated Ethereal packages that fix various security vulnerabilities are now available.
Ethereal is a program for monitoring network traffic.
2. Relevent releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
Issues fixed with this Ethereal release include:
Stefan Esser reported that Ethereal versions 0.10.1 and earlier contain stack overflows in the IGRP, PGM, Metflow, ISUP, TCAP, or IGAP dissectors. On a system where Ethereal is being run a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0176 to this issue.
Jonathan Heussser discovered that a carefully-crafted RADIUS packet could cause a crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0365 to this issue.
Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0367 to this issue.
The MMSE dissector in Ethereal releases 0.10.1 through 0.10.3 contained a buffer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0507 to this issue.
In addition, other flaws in Ethereal prior to 0.10.4 were found that could cause it to crash in response to carefully crafted SIP (CAN-2004-0504), AIM (CAN-2004-0505), or SPNEGO (CAN-2004-0506) packets.
The SNMP dissector in Ethereal releases 0.8.15 through 0.10.4 contained a memory read flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0635 to this issue.
The SMB dissector in Ethereal releases 0.9.15 through 0.10.4 contained a null pointer flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0634 to this issue.
The iSNS dissector in Ethereal releases 0.10.3 through 0.10.4 contained an integer overflow flaw. On a system where Ethereal is running, a remote attacker could send malicious packets that could cause Ethereal to crash or possibly execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0633 to this issue.
Users of Ethereal should upgrade to these updated packages, which contain backported security patches that correct these issues.
Updated rsync packages are available for Red Hat Linux 7.3 and 9
-------------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated rsync package fixes security issues
Advisory ID: FLSA:2003
Issue date: 2004-09-30
Product: Red Hat Linux
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id
03
CVE Names: CAN-2004-0426 CAN-2004-0792
-------------------------------------------------------------------------
-------------------------------------------------------------------------
1. Topic:
An updated rsync package that fixes several security issues is now available.
The rsync program synchronizes files over a network.
2. Relevent releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot. This could allow a remote attacker to write files outside of the module's "path", depending on the privileges assigned to the rsync daemon. Users not running an rsync daemon, running a read-only daemon, or running a chrooted daemon are not affected by this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0426 to this issue.
Versions of rsync up to and including version 2.6.2 contain a path sanitization issue. This issue could allow an attacker to read or write files outside of the rsync directory. This vulnerability is only exploitable when an rsync server is enabled and is not running within a chroot. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0792 to this issue.
Users of rsync are advised to upgrade to this updated package, which contains backported patches and is not affected by these issues.
The Linux seller plans to release the Netscape Enterprise Suite as open-source software in a bid to expand beyond its core product.
Read more
Fedora Legacy now has Fedora Core 1 trees available for use.
The tree can be viewed at
http://download.fedoralegacy.org/fedora/1/ or on your favorite mirror.
Watch for legacy-utils to be populated soon, when QA is done, and package updates to follow. Please direct questions to secnotice@fedoralegacy.org.
Red Hat Inc.'s Enterprise Linux 4 products, scheduled for release early next year, will support five Indian languages, reflecting the growing importance of the Indian market, according to an executive of the Raleigh, North Carolina-based Linux company.
Read more
Updated cadaver packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated cadaver resolves security vulnerabilities
Advisory ID: FLSA:1552
Issue date: 2004-09-29
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1552
CVE Names: CAN-2004-0179, CAN-2004-0398
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated cadaver packages that fix multiple security vulnerability are now available.
Updated tcpdump packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated tcpdump resolves security vulnerabilities
Advisory ID: FLSA:1468
Issue date: 2004-09-29
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1468
CVE Names: CAN-2004-0183, CAN-2004-0184
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated tcpdump packages that fix multiple security vulnerabilities are now available.
The first public beta of Red Hat Enterprise Linux 4 is now available for download
Mirror #1 (USA) Mirror #2 (USA) Mirror #3 (Europe) Mirror #4 (Europe) Mirror #5 (Asia)Here the full announcement:
Red Hat is pleased to announce the availability of the Red Hat Enterprise Linux (version 4) Beta 1 milestone.
This is a public beta. Please feel free to forward this announcement to anyone who may be interested in testing this beta release.
Red Hat Enterprise Linux v. 4 Beta is a preview of the next generation of Red Hat's comprehensive suite of enterprise operating systems -- designed for mission-critical enterprise computing and certified by top enterprise software vendors. More information on the current Red Hat Enterprise Linux version 3 and version 2.1 products is available at:
http://www.redhat.com/software/rhel/This announcement includes details on obtaining the beta software, reporting bugs, and communicating with Red Hat and other testers via mailing lists during the beta period.
Updated samba packages are available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated samba packages fix vulnerabilities
Advisory ID: RHSA-2004:467-01
Issue date: 2004-09-22
Updated on: 2004-09-22
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0807 CAN-2004-0808
----------------------------------------------------------------------
1. Summary:
Updated samba packages that fix two denial of service vulnerabilities are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
An updated redhat-config-nfs package is available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated redhat-config-nfs package resolves several security issues
Advisory ID: RHSA-2004:434-01
Issue date: 2004-09-22
Updated on: 2004-09-22
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0750
----------------------------------------------------------------------
1. Summary:
An updated redhat-config-nfs package that fixes bugs and potential security issues is now available for Red Hat Enterprise Linux 3.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - noarch
Red Hat Desktop version 3 - noarch
Red Hat Enterprise Linux ES version 3 - noarch
Red Hat Enterprise Linux WS version 3 - noarch
Webppliance.info has released PHP 5.0.1 packages for Redhat Enterprise Linux 3 Update 3 and Fedora Core 1
Updated gdk-pixbuf packages are available for Red Hat Enterprise Linux
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated gdk-pixbuf packages fix security flaws
Advisory ID: RHSA-2004:447-02
Issue date: 2004-09-15
Updated on: 2004-09-15
Product: Red Hat Enterprise Linux
Obsoletes: RHSA-2004:103
CVE Names: CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
----------------------------------------------------------------------
1. Summary:
Updated gdk-pixbuf packages that fix several security flaws are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Updated gtk2 packages are available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated gtk2 packages fix security flaws and bugs
Advisory ID: RHSA-2004:466-01
Issue date: 2004-09-15
Updated on: 2004-09-15
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0753 CAN-2004-0782 CAN-2004-0783 CAN-2004-0788
----------------------------------------------------------------------
1. Summary:
Updated gtk2 packages that fix several security flaws and bugs are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Updated imblib packages are available for Red Hat Enterprise Linux
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated imlib package fixes security vulnerability
Advisory ID: RHSA-2004:465-01
Issue date: 2004-09-15
Updated on: 2004-09-15
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0817
----------------------------------------------------------------------
1. Summary:
An updated imlib package that fixes several heap overflows is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
An updated mc package is available for Red Hat Enterprise Linux 2.1
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated mc package resolves security vulnerabilities
Advisory ID: RHSA-2004:464-01
Issue date: 2004-09-15
Updated on: 2004-09-15
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0494
----------------------------------------------------------------------
1. Summary:
An updated mc package that resolves several shell escape security issues is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux WS version 2.1 - i386
