Updated apache packages are available for Red Hat Linux 9 and Fedora Core 1
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated httpd packages fix security issues
Advisory ID: FLSA:2068
Issue date: 2004-10-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2068
CVE Names: CAN-2004-0488 CAN-2004-0493 CAN-2004-0747
CVE Names: CAN-2004-0748 CAN-2004-0751 CAN-2004-0786
CVE Names: CAN-2004-0809 CAN-2004-0811
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated httpd packages that include fixes for security issues are now available.
The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.
2. Relevant releases/architectures:
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Updated netpbm packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated netpbm resolves security vulnerabilities
Advisory ID: FLSA:1257
Issue date: 2004-10-08
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1257
CVE Names: CVE-2003-0924
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated netpbm packages that fix security vulnerabilities are now available.
The netpbm package contains a library of functions that support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps), and others.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Updated PHP packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated php packages fix security issues
Advisory ID: FLSA:1868
Issue date: 2004-10-07
Product: Red Hat Linux
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1868
CVE Names: CAN-2004-0594 CAN-2004-0595
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated php packages that fix various security issues are now available.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Updated cvs packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated cvs resolves security vulnerabilities
Advisory ID: FLSA:1735
Issue date: 2004-10-07
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1735
CVE Names: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417,
CAN-2004-0418, CAN-2004-0778
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated cvs packages that fix a security vulnerabilities are now available.
CVS is a version control system frequently used to manage source code repositories.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Updated libxml2 packages are available for Red Hat Linux 7.3
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated libxml2 resolves security vulnerability
Advisory ID: FLSA:1324
Issue date: 2004-10-04
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1324
CVE Names: CAN-2004-0110
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
[Updated 4th October 2004]
The packages contained in the original release of this advisory were missing python 2.2 support. These updated packages restore the missing functionality.
Updated libxml2 packages that fix an overflow when parsing remote resources are now available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Updated cyrus-sasl packages are available for Red Hat Enterprise Linux 2.1 and 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated cyrus-sasl packages fix security flaw
Advisory ID: RHSA-2004:546-01
Issue date: 2004-10-07
Updated on: 2004-10-07
Product: Red Hat Enterprise Linux
Keywords: environment
CVE Names: CAN-2004-0884
----------------------------------------------------------------------
1. Summary:
Updated cyrus-sasl packages that fix a setuid and setgid application vulnerability are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat has released updated XFree86 packages for Red Hat Enterprise Linux 2.1
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated XFree86 packages fix security issues and bugs
Advisory ID: RHSA-2004:479-01
Issue date: 2004-10-06
Updated on: 2004-10-06
Product: Red Hat Enterprise Linux
Keywords: ATI Radeon 7000m
Obsoletes: RHBA-2004:155
CVE Names: CAN-2004-0687 CAN-2004-0688 CAN-2004-0692
----------------------------------------------------------------------
1. Summary:
Updated XFree86 packages that fix several security issues in libXpm, as well as other bug fixes, are now available for Red Hat Enterprise Linux 2.1.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Edward Kozel, Cisco's former chief technology officer, joins the board of Linux seller Red Hat.
Read more
Updated samba packages are available for Red Hat Enterprise Linux 2.1
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated samba packages fix security issue
Advisory ID: RHSA-2004:498-01
Issue date: 2004-10-04
Updated on: 2004-10-04
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0815
----------------------------------------------------------------------
1. Summary:
Updated samba packages that fix an input validation vulnerability are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Updated XFree86 packages are available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated XFree86 packages fix security issues and bugs
Advisory ID: RHSA-2004:478-01
Issue date: 2004-10-04
Updated on: 2004-10-04
Product: Red Hat Enterprise Linux
Obsoletes: RHEA-2004:352
CVE Names: CAN-2004-0419 CAN-2004-0687 CAN-2004-0688 CAN-2004-0692
----------------------------------------------------------------------
1. Summary:
Updated XFree86 packages that fix several security flaws in libXpm, as well as other bugs, are now available for Red Hat Enterprise Linux 3.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Updated kdelibs and kdebase packages are available for Red Hat Enterprise Linux 2.1 and 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated kdelibs and kdebase packages correct security issues
Advisory ID: RHSA-2004:412-01
Issue date: 2004-10-04
Updated on: 2004-10-04
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0689 CAN-2004-0746 CAN-2004-0721
----------------------------------------------------------------------
1. Summary:
Updated kdelib and kdebase packages that resolve multiple security issues are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Updated mod_python packages are available for Red HAt Linux 7.3
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated mod_python resolves security vulnerability
Advisory ID: FLSA:1325
Issue date: 2004-10-03
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1325
CVE Names: CAN-2003-0973
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated mod_python packages that fix a security vulnerability are now available.
mod_python embeds the Python language interpreter within the Apache httpd server.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Updated systat packages are available for Red Hat Linux 7.3
------------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated sysstat packages fix security vulnerabilities
Advisory ID: FLSA:1372
Issue date: 2004-10-03
Product: Red Hat Linux
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1372
CVE Names: CAN-2004-0107
------------------------------------------------------------------------
------------------------------------------------------------------------
1. Topic:
Updated sysstat packages that fix various bugs and a minor security issue are now available.
Sysstat is a tool for gathering system statistics.
2. Relevent releases/architectures:
Red Hat Linux 7.3 - i386
Updated squirrelmail packages are available for Red Hat Linux 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated squirrelmail resolves security vulnerabilities
Advisory ID: FLSA:1733
Issue date: 2004-10-02
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1733
CVE Names: CAN-2004-0519, CAN-2004-0520, CAN-2004-0521
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated squirrelmail packages that fix a security vulnerability are now available.
SquirrelMail is a standards-based webmail package written in PHP4.
2. Relevant releases/architectures:
Red Hat Linux 9 - i386
Updated mozilla packages are available for Red Hat Enterprise Linux 2.1 and 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated mozilla packages fix security issues
Advisory ID: RHSA-2004:486-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0902 CAN-2004-0903 CAN-2004-0904 CAN-2004-0905 CAN-2004-0908
----------------------------------------------------------------------
1. Summary:
Updated mozilla packages that fix a number of security issues are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
Mozilla is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.
Jesse Ruderman discovered a cross-domain scripting bug in Mozilla. If a user is tricked into dragging a javascript link into another frame or page, it becomes possible for an attacker to steal or modify sensitive information from that site. Additionally, if a user is tricked into dragging two links in sequence to another window (not frame), it is possible for the attacker to execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0905 to this issue.
Gael Delalleau discovered an integer overflow which affects the BMP handling code inside Mozilla. An attacker could create a carefully crafted BMP file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image is viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0904 to this issue.
Georgi Guninski discovered a stack-based buffer overflow in the vCard display routines. An attacker could create a carefully crafted vCard file in such a way that it would cause Mozilla to crash or execute arbitrary code when viewed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0903 to this issue.
Wladimir Palant discovered a flaw in the way javascript interacts with the clipboard. It is possible that an attacker could use malicious javascript code to steal sensitive data which has been copied into the clipboard. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0908 to this issue.
Georgi Guninski discovered a heap based buffer overflow in the "Send Page" feature. It is possible that an attacker could construct a link in such a way that a user attempting to forward it could result in a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0902 to this issue.
Users of Mozilla should update to these updated packages, which contain backported patches and are not vulnerable to these issues.
Updated squid packages are available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated squid package fixes security vulnerability
Advisory ID: RHSA-2004:462-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0832
----------------------------------------------------------------------
1. Summary:
An updated squid package that fixes a security vulnerability in the NTLM authentication helper is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
Squid is a full-featured Web proxy cache.
An out of bounds memory read bug was found within the NTLM authentication helper routine. If Squid is configured to use the NTLM authentication helper, a remote attacker could send a carefully crafted NTLM authentication packet and cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0832 to this issue.
Note: The NTLM authentication helper is not enabled by default in Red Hat Enterprise Linux 3. Red Hat Enterprise Linux 2.1 is not vulnerable to this issue as it shipped with a version of Squid which did not contain the vulnerable helper.
Users of Squid should update to this erratum package, which contains a backported patch and is not vulnerable to this issue.
Updated spamassassin packages are available for Red Hat Enterprise Linux 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated spamassassin package fixes denial of service issue
Advisory ID: RHSA-2004:451-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0796
----------------------------------------------------------------------
1. Summary:
An updated spamassassin package that fixes a denial of service bug when parsing malformed messages is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
SpamAssassin provides a way to reduce unsolicited commercial email (SPAM) from incoming email.
A denial of service bug has been found in SpamAssassin versions below 2.64. A malicious attacker could construct a message in such a way that would cause spamassassin to stop responding, potentially preventing the delivery or filtering of email. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0796 to this issue.
Users of SpamAssassin should update to these updated packages which contain a backported patch and is not vulnerable to this issue.
Updated ruby packages are available for Red Hat Enterprise Linux 2.1 and 3
----------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated ruby package fixes security flaw
Advisory ID: RHSA-2004:441-01
Issue date: 2004-09-30
Updated on: 2004-09-30
Product: Red Hat Enterprise Linux
Keywords: file permission
CVE Names: CAN-2004-0755
----------------------------------------------------------------------
1. Summary:
An updated ruby package that fixes insecure file permissions for CGI session files is now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
Ruby is an interpreted scripting language for object-oriented programming.
Andres Salomon reported an insecure file permissions flaw in the CGI session management of Ruby. FileStore created world readable files that could allow a malicious local user the ability to read CGI session data. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0755 to this issue.
Users are advised to upgrade to this erratum package, which contains a backported patch to CGI::Session FileStore.
Updated flim packages are available for Red Hat Linux 7.3 and 9
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated flim resolves security vulnerabilities
Advisory ID: FLSA:1581
Issue date: 2004-09-30
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1581
CVE Names: CAN-2004-0422
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated flim packages that fix a security vulnerability are now available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
3. Problem description:
The flim package includes a MIME library for GNU Emacs and XEmacs used by the wl mail package.
Tatsuya Kinoshita discovered a vulnerability in flim, an emacs library for working with Internet messages. Temporary files were being created without taking adequate precautions, and therefore a local user could potentially overwrite files with the privileges of the user running emacs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0422 to this issue.
Users of flim are advised to upgrade to this updated package, which contains patches correcting these issues.
Updated xchat packages are available for Red Hat Linux 7.3
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated xchat resolves security vulnerabilities
Advisory ID: FLSA:1549
Issue date: 2004-09-30
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1549
CVE Names: CAN-2004-0409
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated xchat packages that fix a security vulnerability are now available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
3. Problem description:
X-Chat is a graphical IRC chat client for the X Window System.
A stack buffer overflow flaw was found in the X-Chat's Socks-5 proxy code. An attacker could create a malicious Socks-5 proxy server in such a way that X-Chat would execute arbitrary code if a victim configured X-Chat to use the proxy.
Users of X-Chat should upgrade to this updated package which contains a backported security patch and is not vulnerable to this issue.
